Have you ever wondered how hackers are able to make quick work of leaked password databases even if the passwords are hashed? First we must discuss the basics of what a hashed password means. Cryptographic hash functions are a way to turn a text representation of data into a fixed-length “fingerprint” based on the protected algorithm. If various characters of the text representation are to change, the hash algorithm will re-arrange potentially the entire fixed-length fingerprint to adjust for the change. In good security practice, these hashes are sometimes also salted by adding a random string to the beginning, end or both sides of the output hash. Software developers will insert the resulting hash into the database. Here is an example of a hashed and salted string:
[root@cloud01 ~]# echo “hello” | sha256sum
5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03 <– Hashed
[root@cloud01 ~]# echo “hello” + “YYmMwSzpqQQQeESdfDDD” | sha256sum
790ff420a875c2e5f4d44bbca8a06eae2285d93bad6c917b03148637564c79d6 <– Salted
GPU Processing
The typical function of a GPU (Graphics Processor Unit) is to provide video rendering for 3D graphics and visual effects so that the CPU doesn’t have to do that work. GPU’s often times have up to 16 cores of processing, each operating in a 32-wide SIMB (Simple Instruction, Multiple Data) mode. That brings over 500 operations done in parallel. Common CPU’s only have 4 to 8 cores and can operate in 4-wide SIMD which gives much lower parallelism. GPU’s are pushed to the limit based on very specific algorithms usually involving graphic processing and linear algebra. CPU’s need to be able to handle various tasking situations that are not limited to the same specific algorithms that a GPU is boxed into.
Dovestech is harnessing the power of GPU’s to create enriching software solutions with both ThreatPop and an upcoming training simulator. However, there are some folks who are using this power for unethical activity that we must be aware of.
When it came to password cracking, software engineers thought of ways to leverage the existing optimizations that GPU’s have available. The open source project Hashcat “advanced password recovery” was born. Hashcat can utilize your GPU to potentially convert the hashes back into the string representation by processing in 7 attack modes:
Some of these attack modes will try to decrypt the hash into the textual representation one character at a time while others will utilize dictionary lookups in cases where salting was not available.
Depending on the type of hash that is involved (which crypto technology was used) and the character length of the original password, the time it may take hashcat to crack a password can range from a couple hours to thousands of years. Here is an example:
WPA2 WiFi password that is numbers only:
1010 = 10,000,000,000 possible combinations of all 10 digit numbers. 10,000,000,000 / 387,900 = 25,780 seconds = 7 hours to exhaust the entire spectrum. You will statistically find it before the 7 hours are up, but will be guaranteed to find it within 7 hours.
When it comes to brute force hash decrpytion, there is always a couple rules of thumb. If the original password was a couple characters then you can expect the brute force would figure out the answer a lot quicker than a password that is long and strong. Its possible that you could have a password which can be unrackable based on the length of the password if using a brute-force attack. Obviously there are other factors at play including whether your password is in a unknown dictionary which could allow the password to be hacked a lot quicker. This can take even longer with a solid salt associated.
Conclusion:
In conclusion, your passwords security is in the hands of the software engineers that have developed the hashing techniques for storing the password in a database. As a user of any website/application, it is most wise to always keep in the back of your head that techniques like using GPU processing to decrypt your hashed password is really happening and there are ways to protect yourself. Some software engineers don’t even salt a password. The best way to protect yourself is to make sure your password is long and strong! It took 7 hours for us to process a WPA2 password hash that was 10 digits long (numbers only). Add some special characters, lower/upper case and increase the number of characters to 17 and you have a formula of 1.89 x 1017. Keep a strong password and make it long.
Did you know? The top GPU cluster on the hashcat website can do 44208 Mh/s which is about 42 billion hashes per second.
Ronnie Dove
Dovestech Founder, CTO
Sources:
https://crackstation.net/hashing-security.htm
http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords/