Graphics Cards – The Next Big Thing for Password Cracking?

Interesting research from Elcomsoft, using the parallel processing capacity of graphics cards to speed up the password cracking process.

Pretty inventive thinking, as graphics cards get more and more powerful, and they are created to do massive parallel tasks for all the latest and greatest games, why not apply it to password cracking!

A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community.

Elcomsoft, a software company based in Moscow, Russia, has filed a US patent for the technique. It takes advantage of the “massively parallel processing” capabilities of a graphics processing unit (GPU) – the processor normally used to produce realistic graphics for video games.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company’s CEO, Vladimir Katalov.

A top end graphics cards makes your cracking 25 times faster, now that’s a pretty impressive increase if you ask me. Worth investing for regular pen-testers who do a lot of cracking to test password strength.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer’s central processing unit (CPU). By harnessing a $150 GPU – less powerful than the nVidia 8800 card – Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

Elcomsoft says it took three months to develop code to take advantage of a GPU, and the company plans to introduce the feature into some of its password cracking products over time.

I’ll be watching where this goes and will be interested to see if any open source tools come out capitalise on the GPU capability.

Source: New Scientist

Posted in: Hardware Hacking, Password Cracking Tools

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

14 Responses to Graphics Cards – The Next Big Thing for Password Cracking?

  1. Goodpeople November 9, 2007 at 1:30 pm #

    This is very genius. Why didn’t I think of this? After all, password cracking comes down to raw computing power.

    I’d like to see the first password crackers to incorporate this technique.

  2. Bogwitch November 9, 2007 at 3:45 pm #

    As soon as I read this, it reminded me of Aspex Semiconductors – They make PCI boards with 4096 parallel processors running at 300MHz, supported with a small amount of RAM. I considered these for password cracking as the boards are (relatively) cheap. Unfortunately, the developers pack was (and maybe still is) rather expensive.

  3. dirty November 9, 2007 at 5:00 pm #

    Read this article a couple of weeks ago about this GPU cracking…
    My fav quote is from John Callas from Columbia University(NYC)…”Once you’ve shown you can do cryptography with a graphics card Latest News about graphics card, doing cryptanalysis with a graphics card is really the same sort of thing,” he reasoned.
    “Once you’ve heard you can make a frozen daiquiri with a blender, it’s like saying the frozen Pina Colada is a new invention,” he analogized. “It’s not really a new invention. It’s changing the ingredients and realizing the blender works that way.”

    Anyway its still interesting nonetheless and whether or not its patentable, I definitely think this is going to prove to be useful.

  4. Foo November 9, 2007 at 7:49 pm #

    Applying the vector processing of GPGPU for password cracking is as old as the talk of GPGPU’s. Schneier covered this a few weeks ago and the commentary was very good:

  5. James November 9, 2007 at 7:52 pm #

    Very old news Folding@home have being running code on GPU’s(ATI X1900,PS3

  6. normalsecrecy November 9, 2007 at 9:00 pm #

    so does this mean we need to be concerned about botnets exploiting graphics cards on sweet gamer pc setups? just think how powerful a distributed cracker would be. passwords would be jacked in seconds! scary cool development.

  7. Nobody_Holme November 10, 2007 at 3:04 pm #

    People with really fancy gaming rigs are usually fairly sensible, and thus immune to being botnetted… at least, I hope they are. I cant wait for the GPU manufacturers to come up with something to “stop” this…

  8. Pantagruel November 12, 2007 at 12:12 pm #

    Like -Foo- and -James- already mention, age old news. Both Nvidia and Ati released their GPU toolkits quite a while ago.
    Ofcourse I would be very interested to see the first p0wn3d SLI setup.
    It’s my guess however that PS3 owners will be a more suitable target, heaps of computing power, networked by default and quite a user base.
    All we have to do is wait for a real world PS3 exploit to turn them in to botnet drones.

  9. Nobody_Holme November 12, 2007 at 4:53 pm #

    That could be tasty… console owners suck at security mostly… Case in point is my housemate’s Wii… He runs it on our wireless network, the security settings on the switch for which are all off, to let me play… But the Wii itself looks to have no firewall or protection from malware at all… admittedly, neither does it have much proccessing power, but then, botnets dont need all that much power in each component if they have access to enough units, so…

    I think i’ll be watching network traffic more closely for a while now i’ve said this…

  10. Sir Henry December 14, 2007 at 6:45 pm #


    Have you seen any news out there about malware being crafted specifically for the Wii (or PS3 for that matter)? Not personally knowing the base OS/kernel for these consoles, I wonder what kinds of “proof-of-concept” examples are out there for these.

  11. eM3rC February 13, 2008 at 3:00 am #

    @Sir Henry
    No I have not heard of that. Sounds very interesting. I remember when cellphone viruses were a big deal. I guess the hackers have moved on.

    What would be the point of hacking a Wii or PS3 aside for pissing a lot of people off? I could see maybe with an XBox live account you could use the credit card on the account to buy a lot of games but other than that I still don’t see a reason for it.

  12. zupakomputer February 14, 2008 at 11:00 pm #

    re: taking over consoles – if that were done they could be used to do a lot of processing; the PS3s for example are utilised on a sort of passive sleep mode (unused clock cycles & when not in use) to do the folding@home mentioned.

    This topic area is bound to get all the more interesting as the graphics cards continue to get more powerful – there’s now triple SLI, and DDR3 RAM on them is more and more common.
    Also, the high-end gaming PC is becoming more common too with folks buying them off the shelf! So not as security-conscious as may be thought.
    Add in ever growing interest in bit-torrent and there’s a huge potential for those botnets to operate on.

    (not entirely on-topic but of interest – the gaming card Killer NIC is a linux-running network card that does packet prioritising for gaming, and enables things like down/up loading all without calling on the CPU; it was UDP-only on launch, but it comes with a kit – I’m not sure how much tweaking etc has been achieved as yet but it certainly caught my eye anyway when I read about it.)

  13. vxnuke May 6, 2009 at 10:38 am #

    There Is An Open Source Program Out There Now Its Called “PYRIT”

  14. Navin May 12, 2009 at 2:13 pm #

    Hey thanks vxnuke …..for those who wanna know more, chk out