05/12/2012 09:55 GMT | Updated 04/02/2013 05:12 GMT

Hacking Super-Weapon Can Crack Encrypted Passwords In Seconds

A hugely-powerful computer which is able to crack even the most-complex randomised passwords in "seconds" has been demonstrated in Norway.

The new system is said to have "moved the goalposts" on password security.

According to Security Ledger, the system runs the HashCat password cracking program on a cluster of five servers with a total of 25 GPUs.

Passwords are encrypted in many different ways - some with more complex algorithms at their core than others - so the time it takes to crack them can vary massively.

But because many companies, including some popular online services, use outdated or cheaper encryption methods - or store their passwords badly - customers can be put at risk.

Security Ledger said the new system is able to crack the strongest passwords encrypted with two popularly used algorithms, including Microsoft's LM and NTLM, within very short time periods.

The machine is able to test 348 billion NTLM password hashes per second.

A fourteen character LM password would take just six minutes to crack on the system, while NTLM passwords of a similar length would take five and a half hours, according to Security Ledger.

Researcher Jeremi Gosney presented the system at the Passwords^12 Conference in Oslo, Norway.

In attacks which take place online, the speed of computers attempting to hack passwords is rarely important, because there is often a set number of password attempts that can be made.

But when a collection of passwords is leaked or stolen, hackers have as much time as they like to try and crack them - which is when the power of 'brute force' systems becomes crucial

Gosney told Security Ledger in an exclusive interview that he had been working on GPU clustering for about four years, and that his team had been simply "trying to build the biggest GPU rigs we could".

He added that he will probably attempt to make money from his machine, either by renting its use or offering it to password recovery or auditing services.

But while the power wielded by hackers is impressive, it might be over-estimated by the general public - and that in itself might be making users less safe.

In a report released on Wednesday, security firm Kaspersky Labs said that the fatalism expressed by consumers about online security has made them less safe.

Only a third of more than 2,000 people asked said they had confidence in their bank's security systems, and tend to assume a bank will cover their losses if they get hacked.

Kaspersky suggests users use unique passwords for all of their accounts, and do not rely on untrusted apps or WiFi networks.

"The research findings suggest that when it comes to online information or identity theft a growing number of consumers are convinced there is little they can do to prevent a determined hacker from succeeding," said David Emm, senior security researcher at Kaspersky Lab.

"It is not surprising that people are feeling overwhelmed and opting for inaction."