Password cracking can be a very time consuming process. The speed, or passwords per second, depends on the hardware that you are using. Most importantly your CPU (Central Processing Unit), GPU (Graphics Processing Unit, and the amount of machines you have dedicated to that one task a.k.a. computer cluster. Let’s look at each one of these in greater detail.
CPU (Central Processing Unit)
The CPU is the brains of your computer. It is responsible for carrying out all of the instructions of a computer program, in our case, a password cracking program. This obviously means that the faster the CPU, the more passwords you can try per second and the faster you will crack the password.
CPUs today are very fast and thanks to Moore’s law, the technology continues to improve and become faster. I’m sitting here typing away on an Acer netbook with a tiny 1.3 GHz Intel Atom processor that can brute force just over 1 Million passwords per second! Now, depending on the hash algorithm, the program being used and the processor you are using this can go up to the hundreds of millions of passwords per second. Below is an example.
GPU (Graphics Processing Unit)
You might have been surprised when I mentioned a graphics card was important for cracking passwords. You might be even more surprised to hear that a graphics card can be much faster than a high end CPU at cracking passwords.
In late 2007, Elcomsoft, a software company based in Russia, came out with the first password recovery program to take advantage of the nVideo GeForce 8800 GPU and increase password cracking speed by 25 times over a CPU. They boldly claimed that an eight character Windows password that normally took two months to brute force on a machine using a CPU, took only two to five days with their software and a high end GPU. That is a huge difference! Let’s look at how this is possible.
The reason why GPU’s are perfect for password cracking is because of their parallel architecture. Andrew Humber, nVidea’s spokesman, described it as “A normal computer processor would read a book starting at page one and finishing at page 500, a GPU would take that book tear it into a 100,000 pieces, and read all those pieces at the same time.”
CPU’s today usually have two, four or even eight cores whereas GPU’s have hundreds of internal processing units known as stream processing units. This is what makes them great for password cracking and when looking for a GPU for password cracking, remember that the more streams the better.
Programming an application for a GPU is much more difficult compared to traditional programming. To make it simpler, nVidea came out with the CUDA architecture and the OpenCL framework. These were created to give developers the ability to use standard programming languages like C and C++ to develop GPU applications, and is what was used to create the password cracking programs you will be using later on in this course.
To show you how much faster password cracking is with GPU’s, examine the graph below. In the test, two nVidea GTX295 cards were used with a few different programs and password hashes. As you can see, they passed the billion passwords/second mark.
It doesn’t matter if you have the fastest CPU today or the greatest video card, brute forcing a password can still take years even at a rate of 3 billion passwords/second as we saw in the graphics card data. This is because the amount of possible password combinations can get extremely high. So how is it still possible to crack passwords that have an unbelievable amount of possible combinations? The answer is: computer clusters. Computer clusters are a bunch of interconnected computers that split a job amongst themselves to considerably shorten the time needed to complete it. These computers could be all on a LAN or they could be spread across the whole internet.
There are many different types of computer clusters, but to keep it simple, I will describe how most of them work.
In a computer cluster, there is usually one computer (server) whose sole purpose is to oversee the rest ofthe computers (clients). The server’s job is to divide a password cracking job into many pieces and assign each piece (work unit) to each computer in the cluster.
In a password cracking job, each unit would be a range from one string to another. For example, one work unit may be AAAA BBBB. This means that client would need to try every password combination from AAAA to BBBB against a password hash.
Once a machine finishes its assigned work unit, it sends the server its results. If the password was found, the server would tell every other machine to stop; otherwise it would send that machine a new work unit. This process is repeated until the password is cracked.
Using a password cracking cluster can slash the time it takes to crack passwords in half, so if you have access to multiple machines, use them.