Flutterby™! : Short passwords, fast hashes

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Short passwords, fast hashes

2012-12-11 16:48:03.032662+00 by Dan Lyke 0 comments

25 GPU cluster can crack every standard Windows password in 6 hours.

It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm—;which many organizations enable for compatibility with older Windows versions—;will fall in just six minutes.

In case anyone's wondering, Flutterby passwords are stored as SHA512 hashes. Of course we submit them (and the cookie which identifies you) via unencrypted HTTP, mostly because I don't think the modern CA system actually makes HTTPS all that secure.

[ related topics: Humor Microsoft moron Law ]

comments in ascending chronological order (reverse):