back to article Only good guys would use an automated GPU-powered password-cracker ... right?

FireEye reckons sysadmins need help enforcing enterprise password rules, so it's released and open-sourced a tool that distributes password testing across multiple GPU-equipped machines. GoCrack (at GitHub) combines the management of a red team's cracking tasks with privilege management, so the password tests don't fall into …

  1. Jack of Shadows Silver badge

    Simplifies things

    Already have the capability but I do like how it simplifies the setup and tear down. Docker is a plus. bhyve next?

  2. Bronek Kozicki Silver badge
    Coat

    NVIDIA Docker got me interested, and I found this

  3. malle-herbert Silver badge
    Joke

    Yeah but...

    Can it go round the office looking for post-it notes with passwords scribbled on them ?

    Because that would be a lot faster...

    1. Nick Kew Silver badge

      Re: Yeah but...

      ... and trawl social media for names and dates associated with lovers, pets, family, favourite things, etc.

      Add a nice big database of leaked data and it could cover a lot of phishing grounds.

    2. Solarflare

      Re: Yeah but...

      Personally I find sending a nice email around asking for people's passwords to be the most effective method. People are awfully accommodating sometimes.

      1. John Robson Silver badge

        Re: Yeah but...

        Is that not a list that then gets sent to HR for redeployment?

        TO be fair I have replied to said emails on occasion - but only when I knew it was coming, and I changed my password to an 'IT aware' one for the duration of the time they needed it...

  4. Terry 6 Silver badge
    Alert

    Way out of my league to understand this, but..

    If it's out there, somehow it's going to fall into the wrong hands, isn't it?!

    1. Nick Kew Silver badge
      Alien

      Re: Way out of my league to understand this, but..

      A tool like this is more about lowering the bar to a job than about enabling it in the first place. The determined blackhat can do the same already. The competent network administrator might be able to too, if only he had time free from all those more urgent demands!

      A tool simplifying the latter's job sounds like a Good Thing to me. And as I read it, this one's got builtin hurdles against casual misuse, so it doesn't lower the bar too much to a script kiddie.

      To withhold it would smell of that old favourite, security by obscurity.

  5. Anonymous Coward
    Anonymous Coward

    Little flawed here guys and gals.

    Only creators of task data, or those they delegate permission to, can see the contents of a cracking task."

    So when it cracks the admin password and you publish it lower down?

  6. razorfishsl

    But why ?

    you chew up a massive amount of power and bandwidth to test PW in an organization you can easily ask the user their pw

  7. sisk Silver badge

    I just test accounts with two passwords: 123456 and then the user's first name. That generally reveals plenty of people who need a lesson in secure passwords around here.

    Sadly, that's not a joke.

    1. iron Silver badge

      The joke is you haven't enabled password complexity rules. Both the examples you mention would fail even the most lax of complexity rules.

      1. Frederic Bloggs

        Which ones? There are so many and none of them are consistent and most of them limit the character set that one can use. Some even limit the length of the password, one I have seen recently allowing a maximum of 10 characters and specifically banning most punctuation.

        1. Anonymous Coward
          Anonymous Coward

          Take Avaya's utterly shit web login rules.

          8 - 12 characters

          No special characters.

          So to brute force, just rule anything with those in and you have a massively reduced dictionary you need to work from.

        2. Muscleguy Silver badge

          I had to change a password for something I access both from lap/desktop and my Android phone. I found I could not use an asterisk as presumably the unicode was different in some way. Only explanation which made sense. It was definitely that character which was problematic. It worked fine from lab/desktop so it wasn't the site.

          I tend to use phrase initials. Of memorable stanzas of my own, never to be published (in my lifetime) poetry. I store them in Note like apps but munged pretty bad with 1stverse or 2ndverse etc and any numbers are encoded in a Pacific island language. I can count fluently in a number of different world languages. A Turkish colleague on learning I'd been and knew my numbers tested me and said my pronunciation was very good. Well we were there a whole two weeks.

      2. sisk Silver badge

        The joke is you haven't enabled password complexity rules.

        We haven't been allowed to. I've been pushing for complexity rules ever since I was promoted into my current position a decade ago, and lecturing people on the importance of good passwords for the 5 prior years that I've been here.

  8. Haku

    A password cracker which only lets you see the results ....with a password?

    Genius :)

    1. NonSSL-Login
      Coat

      Re: A password cracker which only lets you see the results ....with a password?

      Sounds like a password manager when you put it like that.

  9. Anonymous Coward
    Anonymous Coward

    Nice tool, but...

    ... in most commercial companies I know sysadmins don't really have access to much unused powerful GPUs - and most companies that mostly just shuffle documents around don't care much about GPUs.

    So, how do you use it? Crack your company passwords outside the company in some cloudy setup? I can foresee how many layers of authorization you may need just to think about it... and anyway once you have users' password you are also accountable for anything that may happen with those accounts... until all broken passwords has been changed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019