GPU Password Cracking: A Guide

TL;DR

This guide explains how brute-force GPU password crackers work and how to protect against them. It covers the tools used, common attack methods, and practical steps you can take to secure your accounts.

Understanding GPU Password Cracking

GPU password cracking uses the parallel processing power of graphics cards (GPUs) to rapidly test many passwords against a target system or hash. This is much faster than using only a computer’s CPU, especially for complex passwords.

Tools Used in GPU Password Cracking

• Hashcat: The most popular and versatile password cracking tool. Supports various hashing algorithms and attack modes.
• John the Ripper: Another widely used cracker, known for its flexibility and rule-based attacks.
• oclHashcat/cudaHashcat: Versions of Hashcat specifically designed to utilise OpenCL (oclHashcat) or CUDA (cudaHashcat) for GPU acceleration.

Common Attack Methods

1. Brute-Force: Tries every possible combination of characters within a specified length and character set. Very slow if the password space is large.
2. Dictionary Attacks: Uses a list of common passwords (a dictionary) to try and match the hash. Faster than brute-force, but limited by the quality of the dictionary.
3. Mask Attack: Combines elements of brute-force and dictionary attacks. You define a pattern (mask) that specifies character types and positions (e.g., ‘aa??’ for two lowercase letters followed by any two characters).
4. Rule-Based Attacks: Applies modifications to passwords from a dictionary using predefined rules (e.g., adding numbers, changing case, substituting characters).

Protecting Against GPU Password Cracking

Here’s how to make your accounts much harder to crack:

1. Strong Passwords

• Length: Use passwords at least 12 characters long, preferably longer (16+).
• Complexity: Include a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Uniqueness: Never reuse the same password across multiple accounts.

2. Password Managers

Use a reputable password manager to generate and store strong, unique passwords for each account. Examples include 1Password, LastPass, and Bitwarden.

3. Multi-Factor Authentication (MFA)

Enable MFA whenever possible. This adds an extra layer of security by requiring a second verification method (e.g., code from an authenticator app, SMS code). Even if your password is cracked, attackers will need the second factor to access your account.

4. Account Lockout Policies

If you administer systems, implement account lockout policies that temporarily disable accounts after a certain number of failed login attempts. This slows down brute-force attacks.

5. Salting and Hashing (For System Administrators)

When storing passwords in databases, use strong salting and hashing algorithms like bcrypt or Argon2. Salting adds a unique random value to each password before hashing, making rainbow table attacks much more difficult.

# Example of salting with Python (simplified)

6. Monitor for Suspicious Activity

Regularly review your account activity logs for any unusual logins or attempts to access your accounts from unfamiliar locations.

Detecting a GPU Password Attack

• Slow Login Times: If login times are significantly slower than usual, it could indicate an ongoing brute-force attack.
• Account Lockouts: Frequent account lockouts can be a sign of attempted password cracking.
• System Logs: Check system logs for failed login attempts from the same IP address or user account.