panicky
You bring up a 6 ys old dead topic just to say "panicky"? Whats wrong with you?
Topic: use mining rig to crack passwords? (Read 4788 times)
You bring up a 6 ys old dead topic just to say "panicky"? Whats wrong with you?
Never thought that the world would be just as predicted in the movies:
Interesting. With all these hacking going on these days on the internet, it makes me wonder really what is secure anymore.
nothing at all, not even your own mind.
you just have to try thinking securely and roll with the punches.
I guarantee you every thought you have, someone at that very same moment or even earlier is also thinking it.
It's all in what you do with that thought, and most of the time those thoughts are fleeting.
Interesting. With all these hacking going on these days on the internet, it makes me wonder really what is secure anymore.
The thing to realize is that because the passwords were salted with different salt, except for some of the early ones on the list, a person using a mining rig to hash them can't go against the entire list at once.
Google password salting for more details, but basically, your password had some random characters, called salt, added to them before hashing to make these type of attacks more difficult. The leaked userid/password db includes the salt, so if someone wanted to target your password and it wasn't 10+ characters with more than just the alphabet, cracking it is possible.
The challenge for the attacker is to know which passwords to hack. If the leaked db the hacker used included balance data, then it's easy. You look at who has the largest balance, point a couple of mining rigs at the hashes of the biggest targets and hope that someone had a shorter password.
To me this makes the most sense, and I am doubtful that Kevin was the hacker, if only because I find it hard to believe that someone sophisticated enough to accomplish this hack would be unsophisticated enough to make it easy to find his e-mail address, home address and phone number. Not that I think the attack necessarily has the hallmarks of real finesse, just that it has enough that I find it hard to believe Kevin was in collusion.
By the same token, I also find it difficult to believe that one or a few users had over 500K bitcoins sitting in their accounts at MtGox, particularly when the 400K transactions that have been discussed were supposed to be MtGox moving stuff around.
But, I've gotten off-topic. To answer your question, if your password is less than 10+ characters and someone wanted to determine your password, it is probably doable with bitcoin mining equipment.
Google password salting for more details, but basically, your password had some random characters, called salt, added to them before hashing to make these type of attacks more difficult. The leaked userid/password db includes the salt, so if someone wanted to target your password and it wasn't 10+ characters with more than just the alphabet, cracking it is possible.
The challenge for the attacker is to know which passwords to hack. If the leaked db the hacker used included balance data, then it's easy. You look at who has the largest balance, point a couple of mining rigs at the hashes of the biggest targets and hope that someone had a shorter password.
To me this makes the most sense, and I am doubtful that Kevin was the hacker, if only because I find it hard to believe that someone sophisticated enough to accomplish this hack would be unsophisticated enough to make it easy to find his e-mail address, home address and phone number. Not that I think the attack necessarily has the hallmarks of real finesse, just that it has enough that I find it hard to believe Kevin was in collusion.
By the same token, I also find it difficult to believe that one or a few users had over 500K bitcoins sitting in their accounts at MtGox, particularly when the 400K transactions that have been discussed were supposed to be MtGox moving stuff around.
But, I've gotten off-topic. To answer your question, if your password is less than 10+ characters and someone wanted to determine your password, it is probably doable with bitcoin mining equipment.
Some almost immediately, some would take practically forever. It depends on the strength of the password.
You can read about it at
http://www.tomshardware.com/reviews/password-recovery-gpu,2945.html
Then, there are these two
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125
http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/
which ultimately are derived from
http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/
http://www.tomshardware.com/reviews/password-recovery-gpu,2945.html
Then, there are these two
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125
http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/
which ultimately are derived from
http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/
This question is impossible to answer definitively. The time it would take to brute force those passwords depends on the strength of the salt. As for the unsalted passwords, many of them were already publicly in rainbow tables.
try it yourself
http://forum.bitcoin.org/index.php?topic=19729.msg249307#msg249307
http://forum.bitcoin.org/index.php?topic=19729.msg249307#msg249307
spread this around so all the exchanges will take note.
http://www.golubev.com/hashgpu.htm
it uses the same hardware we are mining with.
http://www.golubev.com/hashgpu.htm
it uses the same hardware we are mining with.
So how long would it take to crack those leaked passwords from MtGox? Let's say someone use their mining rig of 5G/Hash for it?
Jump to: