Recently ads have surfaced for a new movie called 'BlackHat' which is stacking up to be this years version of the 'techno-action-thriller', wherein again, Hollywood makes every computer literate person in the audience groan and facepalm.
There's been an advertising campaign running for this movie which displays a fairly sexy graphic that claims what the password cracking times would be for a very short list of passwords: password, Password, [email protected], and [email protected]
Immediately upon viewing this, most of twitter went up-in-arms about how wrong it was. Lots of folks ranted about how shortsighted this was, but nobody actually posted the real stats.
First and foremost - My gaming rig (which really isn't all that powerful) has 12 cores and a NVidia Titan 1GB video card. I can walk the entire NTLM 8 char keyspace (upper, lower, special and numbers) in roughly 4 hours - so whether your password is *fnJH13( or aaaaaaaa the longest I'll have to wait is 4 hours to get it. If it's in a dictionary, it's usually seconds. 9 chars? I have to wait about 12-15 hours, but it's the same mechanic. If your password is 9 chars or shorter, and I can capture an NTLM hash of it from a windows computer, I will likely have it cracked before anybody notices the computer has been hacked.
So after some thought, I decided to do it and show my work, but there are several considerations to take into account when telling people absolute figures for the time it takes to crack passwords:
- What is the password for? Different systems store passwords using different hashing algorithms. This can make the password trivial to crack (like LM) or absurdly hard to crack (like sha512crypt). This matters greatly.
- What is doing the cracking? A phone? a laptop? a bunch of ec2 images? a watercooled, $20,000 cracking rig with 16 dedicated video cards and SSDs with rainbow tables? This also matters, very greatly.
I created four unix accounts on an ubuntu box: user1 through user4, each with one of the passwords from the ad, and I also created four windows users on my gaming rig exactly the same way. The objective here is to determine just how different of a time an attacker would have if attacking unix passwords versus windows passwords (sha512crypt vs NTLM)
The first two passwords, password and Password, when cracked using "John the Ripper", a common, free password cracking tool, took under 11 seconds to crack. This was without rainbow tables, without a dictionary, or any tuning whatsoever. I let that crack run for an hour and it was only able to capture the first two passwords. Using my macbook, which has 8 CPU cores to do the cracking, I was getting roughly 1300 password attempts a second (which frankly is abysmal).
I ran the same crack again using a dictionary, and both passwords popped in under 1 second. Not too bad - an order of magnitude faster, but it's a bad measurement because there were so few passwords. I tried the same test on my windows machine using oclhashcat and got ~6100 password attempts a second. Better, but still really terrible numbers. This means that the sha512crypt algorithm is VERY strong, and it would take either a very long time, or an incredibly powerful machine to crack things. Hashcat was telling me 2+ years for the full 8 char keyspace. Ouch.
Now let's consider if these passwords were from a windows computer, which is the likely narrative the ad is implying. Here's a screenshot of hashcat cracking the NTLM passwords:
So there's a line there I'd like you to squint at: it's the 'Speed.GPU.#1' line, which says 6835.8 MH/s
In english thats 6,385.8 'mega hashes', which is millions of hashes, per second.
In regular numbers, thats 6.3 BILLION NTLM hashes that it guesses per second. Thats ASTRONOMICALLY more than 1300, or even 6100 per second.
So on my gaming rig, the difference between cracking sha512crypt and NTLM is literally six orders of magnitude and some change. 6,385,800,000 vs 6,100.
Additionally, You can see that the elected keyspace (common stuff, not the entire keyspace) will take just under 14 minutes. The mask it's using is for passwords that are 8 chars long, begin with an upper case letter, have lower case letters, then end with a number. The 9 char mask is the same way, and it's claiming 11 hours.
So the TL;DR here is this:
- If you use 'password' in your password, it will be very easily cracked/guessed
- If your password is less than 12 characters long, several days of hobbyist cracking on a gaming computer will crack it.
- If you want an amazing dictionary to crack things with, google for the 'skull security' password lists, and 'crackstation'.
- Hollywood has apparently no intention of asking experts in the field about the legitimate statistics of password cracking, even when the movie they're advertising is specifically about hackers and hacking.
- Please take this stuff with a grain of salt - if someone you're talking to in an elevator says they're a hacker, whatever they actually are will be NOTHING like movies like this purports to describe.
-Dan Tentler (@viss)