Blazing Fast Password Recovery With New ATI Cards

An anonymous reader writes "ElcomSoft accelerates the recovery of Wi-Fi passwords and password-protected iPhone and iPod backups by using ATI video cards. The support of ATI Radeon 5000 series video accelerators allows ElcomSoft to perform password recovery up to 20 times faster compared to Intel top of the line quad-core CPUs, and up to two times faster compared to enterprise-level NVIDIA Tesla solutions. Benchmarks performed by ElcomSoft demonstrate that ATI Radeon HD5970 accelerated password recovery works up to 20 times faster than Core i7-960, Intel's current top of the line CPU unit."

Portrayal

[Dan East]

I like the way this is portrayed in a totally positive light, as if a person, upon forgetting the password to their device, is going to go out and buy one of these video cards, install it in a machine capable of supporting it (PSU wattage, bus speed, OS, etc), purchase the proprietary "password breaker" software (sold by the company that authored this "story"), all just to recover their password. I think the typical usage for this type of setup is of a more nefarious sort.

Re:Stop with the advertising

[ClosedEyesSeeing]

... The whole summary is in marketing-speak for crying out loud.

And for the curious, TFA is no better. They're calling it a benchmark so they can advertise more effectively ...

You must be new here.

Re:My password.

[Mister Whirly]

Bluetooth keyboard, duh.

Re:103000 passwords per second. So?

[WuphonsReach]

At 103000 attempts per seconds, that's... 421 years oh.

Still within the realm of cracking, especially if those passwords guard a few million dollars of assets. 421 years sounds like a lot until you add things like:

- Crossfire or SLI where you have multiple boards installed
- Setup half a dozen machines to work on the problem
- Apply a botnet to the problem
- Future improvements in technology
- Apply some heuristics to the guessing process

All of which can easily shave off at least 2 orders of magnitude and possibly 3 orders of magnitude. Which reduces that 421 years down to a few months (or worse).

8 character passwords are pretty much dead in the water now. Or at least they need to be phased out within the next few years. Or protected by rate-limiters which control how fast passwords can be tried. (Personally, I always assume that the attacker has the stored hash and can apply parallelism to the attack. Which means that rate limiters should not be relied on to prevent cracks.)

Re:Portrayal

[CityZen]

The sub $300 graphics card will probably still be faster than the $1000 CPU, and the high school geek might get a cracked version of the $1200 software, so it's still within his purview.

In any case, the USD1000 video card is sub $800 now, and will be half that in a few months. The advancement of technology will let all threats eventually percolate down to the lowest levels.

Re:Portrayal

[Rene S. Hollan]

Try posting bail when no one else has access to your money or collateral and no one is willing to advance you a loan for that purpose. You first have to get to your lawyer (assuming you have one, and not a public defender who won't give a crap), have him draw up (or use a boilerplate) power of attorney form so s/he can access your funds, have a notary witness your signature at the jail (often not possible since the only physical (non-video) visitor you can have is your lawyer), and take that to your bank during business hours.

A debit/credit card might work, and you might indeed have it on your person when you are arrested. But, it will be safely stored with your personal possessions, and not provided to anyone other than upon filing in a release form, that your jailer may not approve (generally the deputy overseeing the jail module where you are held). Have you got your debit/credit card number memorized? The expiration date? The code on the back?

Things that can take a few minutes over the phone can take many days when one is in jail.

Re:Stop with the advertising

[node 3]

Having skimmed TFA (actually, TF Press Release) it doesn't sound like there's anything really interesting here other than GPUs are faster are parallel calculations than CPUs. This is already known.

Cracking WPA and iPod/iPhone backups is still not a feasible task. Instead of 20 billion years (or whatever), it'll now only take 1 billion? Saying "20 times faster" makes it sound like you can already reliably crack these things, and now instead of a few hours, it's only a few minutes. But unless I missed it (and I certainly could have), that's not the case. It's just Moore's Law continuing on, in this case on the GPU instead of the CPU. We already know newer chips will be able to try more keys per second, but we're a *long* way from it being something to have any reasonable level of concern over.

It strikes me as odd that they actually have a product for this. It may be useful for short key lengths, but not for the things listed in the headline. It's like saying the hydrogen bomb can destroy Jupiter 100 times faster than an atom bomb. It may be technically true, but it's not a practical solution.