Hashed passwords have always been the way to go when storing authentication credentials in databases. If in the early days of the web simple hashing algorithms were enough to offer decent protection in case of data leaks, the currently-available computing power makes brute-forcing a breeze.
Researcher Jeremi Gosney â€“ also known as epixoip â€“ demonstrated at the Passwords^12 conference in Oslo that no password hash is uncrackable, provided that you have the right hardware setup: using a cluster of five 4U servers and 25 25 AMD Radeon graphic cards, he managed to achieve a bruteforce rate of 180 billion MD5 hashes per second.
When brute-forcing SHA-1 hashes, Gosney managed to process â€žonlyâ€ 63 billion per second, while a take at bruteforcing Sha512Crypt and Bcrypt algorithms yielded less than 500k attempts per second. However, when trying to bruteforce weaker encryption algorithms, such as Microsoftâ€™s LM and NTLM, the cluster peaked at 348 billion hashes per second â€“ enough power to crack a 8-character long NTLM password in about 5,5 hours.
Of course, brute-force attacks take place locally, against a series of hashes that are stored on file, and not against live websites. Password cracking is a highly lucrative business for cyber-criminals that try to take advantage of password dumps from successful breaches of online services. This was actually how it all started, as Gossney was the first researcher to decrypt the 6.4 million Linkedin password hashes for research purposes.
Â Luckily, some web services take bruteforcing extremely seriously and they are migrating from weaker hashing algorithms such as MD4 and MD5 to stronger, more complex ones such as SHA-1 to increase the brute-force time and minimize yield.