Slashdot is reporting the story:
a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete. In a test, the researcher’s system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes
[…]
Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt.
One of my favorite comments to the story:
So now that passwords as a system is officially broken, can we please move on to something better? Something that wasn’t invented to allow soldiers standing watch in the middle of the night to tell their mates from their enemies, but is actually designed for computers?
Solutions? Â Well, for remote connectivity, I’ve been using SSH with key-based authentication. Â For the websites, Google seems to be leading the 2-way authentication progress, with a combination of password and a one-time code via SMS. Â These aren’t perfect, but they seem to be better than just a password.
Zakhar Kirpichenko liked this on Facebook.
You assume that one can try billion attempts per sec against an SSH server :) SSH keys are not a solution as long as your work computer can cracked. If you notice most high profile OSS repository hacks were done ising stolen keys.
You assume that one can try billion attempts per sec against an SSH server :) SSH keys are not a solution as long as your work computer can be cracked, actually they are less secure in many cases since protection of workstations is not usually taken very seriously. If you notice most high profile OSS repository hacks were done ising stolen keys.
Vladimir Ivashchenko No, I don’t assume that. Of course, network operations are slow, and many systems will block you after a certain amount of invalid attempts. These billions of checks are against a local database of hashed passwords…
I somewhat agree with your points for SSH keys and workstation protection. However, from the personal experience, I think SSH keys are a better alternative to passwords. Multiple SSH keys are easier to manage than passwords (even with multiple USB flash drives, as some do).
For remote access, two-factor security dongles is the only universal alternative to passwords, IMHO.