Graphics Cards – The Next Big Thing for Password Cracking?

Interesting research from Elcomsoft, using the parallel processing capacity of graphics cards to speed up the password cracking process.

Pretty inventive thinking, as graphics cards get more and more powerful, and they are created to do massive parallel tasks for all the latest and greatest games, why not apply it to password cracking!

A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community.

Elcomsoft, a software company based in Moscow, Russia, has filed a US patent for the technique. It takes advantage of the “massively parallel processing” capabilities of a graphics processing unit (GPU) – the processor normally used to produce realistic graphics for video games.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company’s CEO, Vladimir Katalov.

A top end graphics cards makes your cracking 25 times faster, now that’s a pretty impressive increase if you ask me. Worth investing for regular pen-testers who do a lot of cracking to test password strength.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer’s central processing unit (CPU). By harnessing a $150 GPU – less powerful than the nVidia 8800 card – Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

Elcomsoft says it took three months to develop code to take advantage of a GPU, and the company plans to introduce the feature into some of its password cracking products over time.

I’ll be watching where this goes and will be interested to see if any open source tools come out capitalise on the GPU capability.

Source: New Scientist

Posted in: Hardware Hacking, Password Cracking Tools

, , ,

Latest Posts:

tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.

14 Responses to Graphics Cards – The Next Big Thing for Password Cracking?

  1. Goodpeople November 9, 2007 at 1:30 pm #

    This is very genius. Why didn’t I think of this? After all, password cracking comes down to raw computing power.

    I’d like to see the first password crackers to incorporate this technique.

  2. Bogwitch November 9, 2007 at 3:45 pm #

    As soon as I read this, it reminded me of Aspex Semiconductors – They make PCI boards with 4096 parallel processors running at 300MHz, supported with a small amount of RAM. I considered these for password cracking as the boards are (relatively) cheap. Unfortunately, the developers pack was (and maybe still is) rather expensive.

  3. dirty November 9, 2007 at 5:00 pm #

    Read this article a couple of weeks ago about this GPU cracking…
    My fav quote is from John Callas from Columbia University(NYC)…”Once you’ve shown you can do cryptography with a graphics card Latest News about graphics card, doing cryptanalysis with a graphics card is really the same sort of thing,” he reasoned.
    “Once you’ve heard you can make a frozen daiquiri with a blender, it’s like saying the frozen Pina Colada is a new invention,” he analogized. “It’s not really a new invention. It’s changing the ingredients and realizing the blender works that way.”

    Anyway its still interesting nonetheless and whether or not its patentable, I definitely think this is going to prove to be useful.

  4. Foo November 9, 2007 at 7:49 pm #

    Applying the vector processing of GPGPU for password cracking is as old as the talk of GPGPU’s. Schneier covered this a few weeks ago and the commentary was very good:

  5. James November 9, 2007 at 7:52 pm #

    Very old news Folding@home have being running code on GPU’s(ATI X1900,PS3

  6. normalsecrecy November 9, 2007 at 9:00 pm #

    so does this mean we need to be concerned about botnets exploiting graphics cards on sweet gamer pc setups? just think how powerful a distributed cracker would be. passwords would be jacked in seconds! scary cool development.

  7. Nobody_Holme November 10, 2007 at 3:04 pm #

    People with really fancy gaming rigs are usually fairly sensible, and thus immune to being botnetted… at least, I hope they are. I cant wait for the GPU manufacturers to come up with something to “stop” this…

  8. Pantagruel November 12, 2007 at 12:12 pm #

    Like -Foo- and -James- already mention, age old news. Both Nvidia and Ati released their GPU toolkits quite a while ago.
    Ofcourse I would be very interested to see the first p0wn3d SLI setup.
    It’s my guess however that PS3 owners will be a more suitable target, heaps of computing power, networked by default and quite a user base.
    All we have to do is wait for a real world PS3 exploit to turn them in to botnet drones.

  9. Nobody_Holme November 12, 2007 at 4:53 pm #

    That could be tasty… console owners suck at security mostly… Case in point is my housemate’s Wii… He runs it on our wireless network, the security settings on the switch for which are all off, to let me play… But the Wii itself looks to have no firewall or protection from malware at all… admittedly, neither does it have much proccessing power, but then, botnets dont need all that much power in each component if they have access to enough units, so…

    I think i’ll be watching network traffic more closely for a while now i’ve said this…

  10. Sir Henry December 14, 2007 at 6:45 pm #


    Have you seen any news out there about malware being crafted specifically for the Wii (or PS3 for that matter)? Not personally knowing the base OS/kernel for these consoles, I wonder what kinds of “proof-of-concept” examples are out there for these.

  11. eM3rC February 13, 2008 at 3:00 am #

    @Sir Henry
    No I have not heard of that. Sounds very interesting. I remember when cellphone viruses were a big deal. I guess the hackers have moved on.

    What would be the point of hacking a Wii or PS3 aside for pissing a lot of people off? I could see maybe with an XBox live account you could use the credit card on the account to buy a lot of games but other than that I still don’t see a reason for it.

  12. zupakomputer February 14, 2008 at 11:00 pm #

    re: taking over consoles – if that were done they could be used to do a lot of processing; the PS3s for example are utilised on a sort of passive sleep mode (unused clock cycles & when not in use) to do the folding@home mentioned.

    This topic area is bound to get all the more interesting as the graphics cards continue to get more powerful – there’s now triple SLI, and DDR3 RAM on them is more and more common.
    Also, the high-end gaming PC is becoming more common too with folks buying them off the shelf! So not as security-conscious as may be thought.
    Add in ever growing interest in bit-torrent and there’s a huge potential for those botnets to operate on.

    (not entirely on-topic but of interest – the gaming card Killer NIC is a linux-running network card that does packet prioritising for gaming, and enables things like down/up loading all without calling on the CPU; it was UDP-only on launch, but it comes with a kit – I’m not sure how much tweaking etc has been achieved as yet but it certainly caught my eye anyway when I read about it.)

  13. vxnuke May 6, 2009 at 10:38 am #

    There Is An Open Source Program Out There Now Its Called “PYRIT”

  14. Navin May 12, 2009 at 2:13 pm #

    Hey thanks vxnuke …..for those who wanna know more, chk out