Graphics Cards – The Next Big Thing for Password Cracking?

Interesting research from Elcomsoft, using the parallel processing capacity of graphics cards to speed up the password cracking process.

Pretty inventive thinking, as graphics cards get more and more powerful, and they are created to do massive parallel tasks for all the latest and greatest games, why not apply it to password cracking!

A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community.

Elcomsoft, a software company based in Moscow, Russia, has filed a US patent for the technique. It takes advantage of the “massively parallel processing” capabilities of a graphics processing unit (GPU) – the processor normally used to produce realistic graphics for video games.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company’s CEO, Vladimir Katalov.

A top end graphics cards makes your cracking 25 times faster, now that’s a pretty impressive increase if you ask me. Worth investing for regular pen-testers who do a lot of cracking to test password strength.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer’s central processing unit (CPU). By harnessing a $150 GPU – less powerful than the nVidia 8800 card – Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

Elcomsoft says it took three months to develop code to take advantage of a GPU, and the company plans to introduce the feature into some of its password cracking products over time.

I’ll be watching where this goes and will be interested to see if any open source tools come out capitalise on the GPU capability.

Source: New Scientist

Posted in: Hardware Hacking, Password Cracking

, , ,

Latest Posts:

Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.
BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.

14 Responses to Graphics Cards – The Next Big Thing for Password Cracking?

  1. Goodpeople November 9, 2007 at 1:30 pm #

    This is very genius. Why didn’t I think of this? After all, password cracking comes down to raw computing power.

    I’d like to see the first password crackers to incorporate this technique.

  2. Bogwitch November 9, 2007 at 3:45 pm #

    As soon as I read this, it reminded me of Aspex Semiconductors – They make PCI boards with 4096 parallel processors running at 300MHz, supported with a small amount of RAM. I considered these for password cracking as the boards are (relatively) cheap. Unfortunately, the developers pack was (and maybe still is) rather expensive.

  3. dirty November 9, 2007 at 5:00 pm #

    Read this article a couple of weeks ago about this GPU cracking…
    My fav quote is from John Callas from Columbia University(NYC)…”Once you’ve shown you can do cryptography with a graphics card Latest News about graphics card, doing cryptanalysis with a graphics card is really the same sort of thing,” he reasoned.
    “Once you’ve heard you can make a frozen daiquiri with a blender, it’s like saying the frozen Pina Colada is a new invention,” he analogized. “It’s not really a new invention. It’s changing the ingredients and realizing the blender works that way.”

    Anyway its still interesting nonetheless and whether or not its patentable, I definitely think this is going to prove to be useful.

  4. Foo November 9, 2007 at 7:49 pm #

    Applying the vector processing of GPGPU for password cracking is as old as the talk of GPGPU’s. Schneier covered this a few weeks ago and the commentary was very good:

  5. James November 9, 2007 at 7:52 pm #

    Very old news Folding@home have being running code on GPU’s(ATI X1900,PS3

  6. normalsecrecy November 9, 2007 at 9:00 pm #

    so does this mean we need to be concerned about botnets exploiting graphics cards on sweet gamer pc setups? just think how powerful a distributed cracker would be. passwords would be jacked in seconds! scary cool development.

  7. Nobody_Holme November 10, 2007 at 3:04 pm #

    People with really fancy gaming rigs are usually fairly sensible, and thus immune to being botnetted… at least, I hope they are. I cant wait for the GPU manufacturers to come up with something to “stop” this…

  8. Pantagruel November 12, 2007 at 12:12 pm #

    Like -Foo- and -James- already mention, age old news. Both Nvidia and Ati released their GPU toolkits quite a while ago.
    Ofcourse I would be very interested to see the first p0wn3d SLI setup.
    It’s my guess however that PS3 owners will be a more suitable target, heaps of computing power, networked by default and quite a user base.
    All we have to do is wait for a real world PS3 exploit to turn them in to botnet drones.

  9. Nobody_Holme November 12, 2007 at 4:53 pm #

    That could be tasty… console owners suck at security mostly… Case in point is my housemate’s Wii… He runs it on our wireless network, the security settings on the switch for which are all off, to let me play… But the Wii itself looks to have no firewall or protection from malware at all… admittedly, neither does it have much proccessing power, but then, botnets dont need all that much power in each component if they have access to enough units, so…

    I think i’ll be watching network traffic more closely for a while now i’ve said this…

  10. Sir Henry December 14, 2007 at 6:45 pm #


    Have you seen any news out there about malware being crafted specifically for the Wii (or PS3 for that matter)? Not personally knowing the base OS/kernel for these consoles, I wonder what kinds of “proof-of-concept” examples are out there for these.

  11. eM3rC February 13, 2008 at 3:00 am #

    @Sir Henry
    No I have not heard of that. Sounds very interesting. I remember when cellphone viruses were a big deal. I guess the hackers have moved on.

    What would be the point of hacking a Wii or PS3 aside for pissing a lot of people off? I could see maybe with an XBox live account you could use the credit card on the account to buy a lot of games but other than that I still don’t see a reason for it.

  12. zupakomputer February 14, 2008 at 11:00 pm #

    re: taking over consoles – if that were done they could be used to do a lot of processing; the PS3s for example are utilised on a sort of passive sleep mode (unused clock cycles & when not in use) to do the folding@home mentioned.

    This topic area is bound to get all the more interesting as the graphics cards continue to get more powerful – there’s now triple SLI, and DDR3 RAM on them is more and more common.
    Also, the high-end gaming PC is becoming more common too with folks buying them off the shelf! So not as security-conscious as may be thought.
    Add in ever growing interest in bit-torrent and there’s a huge potential for those botnets to operate on.

    (not entirely on-topic but of interest – the gaming card Killer NIC is a linux-running network card that does packet prioritising for gaming, and enables things like down/up loading all without calling on the CPU; it was UDP-only on launch, but it comes with a kit – I’m not sure how much tweaking etc has been achieved as yet but it certainly caught my eye anyway when I read about it.)

  13. vxnuke May 6, 2009 at 10:38 am #

    There Is An Open Source Program Out There Now Its Called “PYRIT”

  14. Navin May 12, 2009 at 2:13 pm #

    Hey thanks vxnuke …..for those who wanna know more, chk out