In 2001, Hugh Jackman was cracking 128-bit encryption for John Travolta and Halle Berry in the movie Swordfish. Over the next 15 years, computers have gotten a lot faster. We decided to take the 2.7kW Supermicro 8x GPU server STH reviewed last year and see if we can do a bit of cracking of our own.
In the movie, Hugh Jackman’s character, Stanley, is asked to crack a password prompt protected via 128-bit encryption.
The movie had (then) state-of-the-art equipment such as a workstation with seven monitors (LCDs even!) In the fifteen years since the movie was released, we have seen trends towards monitors aligned in a more organized fashion.
The DS3 (45Mbps) connection? Insane speeds then, but now is not that much faster than cellular wireless data speeds in some geographies. This was well before we had hardware encryption on processors making encryption on modern hardware essentially “free”. In 2001 we saw the release of 1.3GHz Pentium 4 chips. These single core processors were about 1/100th the speed of today’s desktop chips. Also, GPU compute has been a major trend which has taken some tasks like crypto hash acceleration to a new level.
Without either Halle Berry or Helga (Laura Lane) peering over our… shoulder, we decided to use oclHashcat to crack a MD5 password hash. We used this version so that we could use our 8x AMD FirePro S9150 GPU compute cards in the Supermicro SYS-4028GR-TR server.
So what happens when you pit MD5 era encryption against a ~$30,000 4U server from 2015-2016? Suffice to say, the result was shocking.
We picked a relatively short password for that era. The leading edge of the millennial generation and those older probably remember the days when you could use passwords like “pass” “user123” or your name like “patrick”. Even into the early 2000s 8-character or longer passwords were not standard. There were infrequently requirements for uppercase letters or numbers. For our video we used the password “swfish12” and translated that into an MD5 hash. Our objective was simple: see how long it would take our server to crack the MD5 hash and get back to “swfish12”.
We went to a local coffee shop and saw what we could do with a laptop and the 8x AMD S9150 system remotely tucked away in the DemoEval lab.
After logging in remotely this is what happened:
Not only did the server crack the password, it did so in less time than it takes to drink a cup of coffee. The actual compute operation had a timeline much closer to a sip of coffee.
Here are a few takeaways from this exercise:
- If you are using short passwords with low complexity, change them.
- We took a matter of minutes to go from zero to this crack. This was not the effort of a security researcher and instead one of a non-expert taking 20 minutes to read a FAQ on the Internet and setting the system up. We even left Windows on the machine (it was needed for a certain GPU rendering package we were testing.)
- If this machine was in the hands of a skilled security researcher, the MD5 password would have taken under a second of execution time instead of the 9 seconds it took us.
- If you have a critical application from the 1990’s or early 2000’s running, it may be worth paying an expert (not us) to do a security audit.
- There is almost always work involved to get to the MD5 hash which we did not show. Passwords are stored today with stronger hashes to prevent these speedy attacks and getting to them is often difficult.