System Guesses 350 Billion Passwords Per Second

Dennis Faas's picture

A newly-unveiled password-cracking system can reportedly guess billions of unique passwords every second. At that rate, it's entirely practical to have the device attempt every possible eight-character Windows password.

The password-cracking system is a Linux-based graphical processing unit (GPU) 'cluster' that uses a special type of virtualization software which allows it to use not one, not two, but 25 Advanced Micro Devices (AMD) Radeon graphics cards.

350 Billion Passwords Guessed Each Second

That kind of GPU power enables the cluster to guess passwords at an astonishing rate: 350 billion passwords per second. That's roughly four times faster than once thought possible.

In fact, experts estimate the device could actually guess every eight-character password, including those containing combinations of letters, symbols, and numbers, in just five-and-a-half hours. (Source:

This method of simply guessing computer passwords is known by security experts and hackers alike as "brute forcing".

In the past, brute forcing of passwords was possible, but not practical because it would have taken years or even decades to run through all the possible passwords.

Thankfully, hackers are not the ones who have developed this device. Instead, it's the work of Stricture Consulting Group, a security firm specializing in password cracking.

Stricture's chief executive officer, Jeremi Gosney, unveiled the cluster at last week's "Passwords^12" conference in Oslo, Norway. (Source:

Although it's unlikely hackers have a tool like this at their disposal, Gosney and other security experts believe people with criminal intentions could develop similar devices in the future.

Experts: It's Time for Longer, More Complex Passwords

According to Gosney, the advent of this password-cracking cluster gives a signal that everyone should start thinking about developing much longer and more complicated passwords.

Infosecurity, an online security magazine, insists that eight-character passwords "are no longer sufficient," and that only by using longer passwords including both letters and numbers will people "help prevent brute forcing." (Source:

Where possible, security experts like Kaspersky Lab's Dmitry Bestuzhev suggest using a much longer combination of letters, numbers, and symbols to construct passwords. Furthermore, Internet users should refrain from using the same password more than once.

Sophos Labs security expert Paul Ducklin sees the cluster's unveiling as "yet another reminder that security is an arms race." For the average Internet user, winning that arms race requires taking password construction more seriously. (Source:

Rate this article: 
Average: 5 (2 votes)