Using a GPU to hack passwords
Not if you practice responsible password generation.
If you’ve ever locked yourself outside of your house, you probably know the pain, cost and time associated with hiring a lockpicker to help you get back in. Similarly, if you’ve ever locked yourself out of an important file, you might know the even greater cost and time of using a password recovery program to regain access to it.
Also called Password Crackers, these are intended for legitimate purposes and aren’t necessarily anything new. Still, they tend to be expensive affairs that take longer than a human lifetime to get through well-designed passwords. With Ampere and Big Navi GPUs starting to hit the public, though, companies like Passcovery are advertising that they’re more useful. Which could be helpful or threatening, depending on the user.
According to its LinkedIn profile, Passcovery’s been around since 2008, but in early October it issued a major update that allows you to lend Ampere processing power to it. We imagine that Big Navi will be added in due course.
For the unaware, Passcovery is a US$40- to US$400-per-year tool that specialises in recovering passwords for programs like the Microsoft Office suite as well as for iOS backups and Rar, Zip, and PDF files. It works by first masschecking a dictionary of possible passwords called collisions against a locked file, then trying random combinations. So if your password is “gap” or “blasphemy,” Passcovery would find it almost instantly, as those are “collisions,” aka passwords already stored in its library. Otherwise, the program says that the average password recovery time (after the update) for something like a Word file is two hours.
That’s supposedly 5-8 times faster than before, thanks to GPU acceleration including the RTX 30 series and, eventually, Big Navi graphics cards. Code optimisations have also helped. For instance, the company said that while an earlier version of Passcovery running on a GTX 1060 GPU could only try 669,000 passwords per second, the new suite can try up to 3.4 million passwords per second on the same hardware.
So, how helpful or dangerous is this? We downloaded the free demo to try out. Using a password-protected Microsoft Word document, we put Passcovery to the test with a nine-character passwordprotected Word document that only uses lower case letters, numbers, and a single exclamation point. Using those constraints and a brute force attack, we ran the demo on a test PC which has an RTX 3090 and an Intel Core i9-9900K, to see how quickly it would take to unlock the file.
The ETA? 141 years. And that’s with a little help. If you want to do a full brute force attack, including capital letters and all special characters, it gets much worse. For a Word file, with a 10 character password length, the program says, “Sorry, but number of passwords is way too much to check in finite time. Please change the settings.” Our take: Don’t use a complex password, then forget it and hope one of these recovery tools will get you out of a jam.
While Passcovery does work well to find passwords it already has collisions with, or any passwords that are just dictionary words, this means that even with the power of next-gen GPUs, the average person shouldn’t have anything to worry about yet so long as you practice even modest password security guidelines.
“If your password is “gap” or “blasphemy,” Passcovery would find it almost instantly, as those are “collisions,” aka passwords already stored in its library.”