25-GPU cluster cracks every standard Windows password in less than 6 hours

Less good against non-NTLM passwords ... from my comment last time:<p>Taking SHA-1 (which YOU MUST NOT USE for password hashing blah), it only manages 63 billion a second. To try all the passwords for that in the alphanumeric space:<p>- 10 chars: 35 weeks<p>- 11 chars: 44 years<p>- 12 chars: 2,800 years<p>- 16 chars: 11 times the age of the sun<p>10 chars for bcrypt: 600,000 years...<p><a href="http://www.wolframalpha.com/input/?i=%2865**16+%2F+63+billion%29+seconds" rel="nofollow">http://www.wolframalpha.com/input/?i=%2865**16+%2F+63+billio...</a>

This was discussed 3-4 days ago: <a href="http://news.ycombinator.com/item?id=4875206" rel="nofollow">http://news.ycombinator.com/item?id=4875206</a><p>Upshot - it's impressive, but NTLM already known as an vulnerable target.

NTLM hashes are stored in Active Directory servers as one round of unsalted MD4. It's plain MD4. Not many people know this and I only point it out as it's important to understand that when talking about how many cracks per second they are getting.

Impressive as the numbers are, it's worth remembering that this is an "offline crack", going against a stolen list of encrypted passwords. If they can steal your database of encrypted passwords, you've got a problem no matter how strong the passwords are.<p>How many guesses per second do you get in a typical online crack? E.g., a script kiddie trying to guess your cloud server's SSH password?

I remember back when I was doing a network engineering course the guys could crack a windows password in minutes offline, simple matter of grabbing the database from the machine. I think once you have the machine offline unless you encrypt the data your pretty screwed regardless..

Guess what? Back in 2009, I started using a method to remember long passwords with a huge # of letters, numbers, &#38; special characters.<p>Gw?Bi2009Isuamtrlpwah#ol,n,&#38;sc. (31 characters)<p>Create memorable sentences and create a password using the first letter of each word &#38; all the numbers and punctuation. After entering it 10 or so times you'll get used to it pretty quickly.

I'm not sure there is much significance to this article.<p>It points out "The technique doesn't apply to online attacks, because, among other reasons, most websites limit the number of guesses that can be made for a given account."<p>Same applies to Windows.

Edited title for length, because original title got truncated in a confusing fashion.<p>Original title: "25-GPU cluster cracks every standard Windows password in &#60;6 hours"

If this is done with commodity hardware, now, what were the NSA's capabilities even 5 years ago?

So , why don't modern versions of Windows just use Bcrypt or similar for passwords?

Nice. But can it run Crysis?

Every standard Windows password less than 8 chars only?

How bout SSL?