Crazy Fast Password Recovery with Hashcat

I have been playing with Hashcat a little bit today and I am just stunned on how fast it is. Hashcat is an all purpose password cracker that can run off of your GPU or your CPU. The GPU version, OCLHashcat-plus is touted as the world’s fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker.

Hashcat is a multi-threaded cracker, so if your CPU can run several threads, it will use them. But the real speed comes into play when using the horsepower of a GPU. If your GPU can run hundreds of threads, all of this power is used to break passwords.

But just how fast is it?

I took just a simple password: “fred” and fed the NTLM password hash into Hashcat. I used just the slower CPU version and the Bruteforce option. The password was recovered as soon as I hit run:

It was so fast, the estimated and elapsed time didn’t even register.

You can also use password dictionaries to use as a guideline for Hashcat. For the next test, I downloaded the “RockYou.txt” password list. This is a list of actual passwords that have been sanitized (usernames removed). I pulled 4 random plain text passwords from RockYou and converted them to Windows NTLM passwords:

elizabeth1 – 6afd63afaebf74211010f02ba62a1b3e
francis123 – 43fccfa6bae3d14b26427c26d00410ef
duodinamico – 27c0555ea55ecfcdba01c022681dda3f
luphu4ever – 9439b142f202437a55f7c52f6fcf82d3

I placed the 4 password hashes into a file called hashes.txt, added in the RockYou plain text password list and fed them into Hashcat:

Hashcat recovered all five passwords in about the same amount of time it took to create the display screen, a second, maybe 2:

Remember that these are the NTLM hashes, not Window’s simpler LM hashes.

Add in the GPU version, advanced rules, attack methods, and Hybrid Masks and you really have a powerful tool to recover almost any password.

GPU Crackers make Seven Character Passwords Inadequate

That’s the news from the Georgia Tech Research Institute. Using the power of a graphics video card processor (GPU) to crack passwords is not new news. But with the speeds that the GPU’s are reaching, they now have the ability to easily brute force up to seven character passwords.

According to the GTRI case study, “We’ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,” said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute (GTRI).

“Right now we can confidently say that a seven-character password is hopelessly inadequate – and as GPU power continues to go up every year, the threat will increase.”

So, how fast have Graphic Processors become? Today’s graphic cards can run at speeds approaching 2 Teraflops! Teraflops are used to measure processing speed. A teraflop is one trillion floating point operations per second. To put that speed in prospective, the fastest super-computer in the year 2000 could run at 7 Teraflops. And it was a $110 million dollar monster of linked computers. Now imagine all of that speed leveraged into brute forcing passwords. This is exactly what can be done with password cracking software based on the GPU.

How long should passwords be? According to the case study, “any password shorter than 12 characters could be vulnerable – if not now, soon.”

So, what do we do? According to an article on GCN, the best defense against this is to use sentences for your passwords. I whole heartedly agree and actually use this for my own personal passwords. Take something that means something to you and make a password out of it. Throw in a few special characters for added safety. For example:

MyV0lksw@genIsTheF@stestC@r!   (Don’t even try this on my systems, I am a MOPAR nut)

It is easy to remember because it means something to you. It is complex because it uses upper and lower case letters, symbols, a number and is very long.

GPUs will become faster as time goes on, so the time of using passwords alone to protect your systems may be at an end. The GCN article recommends using a two part system for authentication. “Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.”

The upcoming Windows 8 is supposed to have facial recognition built it. According to Windows8News, the feature will be called “My PC  Knows Me”.  The feature will provide enhanced login security, including facial recognition augmented with password or fingerprint authentication. The PC will also be able to detect when the user walks away and automatically place the computer into sleep mode.

Very amazing indeed, but I will not be impressed until the computer can detect your face, change your status to “busy”, pull up the latest news you like and automatically make your favorite cup of coffee.     🙂 

Want to know more? Check out these newer articles:

Cracking 14 Character Complex Passwords in 5 Seconds
No need to crack complex 20 character passwords, Just pass them