The power that a Graphics Processing Unit presents can be harnessed to do some dirty work when trying to crack passwords. [Vijay] took a look at some of the options out there for cracking passwords and found that utilizing the GPU produces the correct password in a fraction of the time. On a Windows machine he pitted the Cain password recovery tool which uses the CPU for its calculations against ighashgpu which uses ATI or Nvidia graphics cards to do the deed. Hands down ighashgpu is the fastest; with Cain taking about one year to crack an eight character password while ighashgpu can do it in under nineteen hours.

We were very interested to see how easy it is to use this package. We looked in on GPU cracking in September but didn’t focus on the software packages that are out there. Now that you know how easily your password can be unearthed perhaps you will get some use out of this article discussing the usability and security of longer passwords which we ran across over on Reddit.

It’s a few years old, but [Brian360's] method of unlocking the hard drive on his Mitsubishi Multi-Communication System is quite interesting. Mitsubishi describes their MMCS as a human-vehicle communication tool. It’s basically an in-dash screen and controls to display navigation maps and play music. [Brian] found that the hard drive for the MMCS in his 2008 Lancer was locked, and could not be cloned and swapped out for a larger drive. Sound familiar to anyone? Hard drive locking has been used in many systems, including the original Xbox, which we’ll get back to in a minute.

The setup seen above was used to grab the hard drive password from the system itself. A custom adapter card was built and plugged in between the hard drive and the MMCS hardware, with test points for each of the data line. [Brian] attached a digital storage oscilloscope, and after a bit of poking around, found a way to trigger the scope when the password was requested. He explains the process of converting the captured data into an ASCII string password.

With that in hand how would you unlock the drive? The favorite tool for this is hdparm, a tool which was used with early Xbox unlocking but which is still in use with other hardware today. Now brian has a disk image backup and the ability to swap out for larger hardware.

[Thanks Traitorous8]

shackspace member [@dop3j0e] found himself in a real bind when trying to recover some data after his ThinkPad’s fingerprint scanner died. You see, he stored his hard drive password in the scanner, and over time completely forgot what it was. Once the scanner stopped working, he had no way to get at his data.

He brainstormed, trying to figure out the best way to recover his data. He considered reverse engineering the BIOS, which was an interesting exercise, but it did not yield any password data. He also thought about swapping the hard drive’s logic board with that of a similar drive, but it turns out that the password is stored on the platters, not the PCB.

With his options quickly running out, he turned to a piece of open-source hardware we’ve covered here in the past, the OpenBench Logic Sniffer. The IDE bus contains 16 data pins, and lucky for [@dop3j0e] the OpenBench has 16 5v pins as well – a perfect match. He wired the sniffer up to the laptop and booted the computer, watching SUMP for the unlock command to be issued. Sure enough he captured the password with ease, after which he unlocked and permanently removed it using hdparm.

Be sure to check out [@dop3j0e's] presentation on the subject if you are interested in learning more about how the recovery was done.

In his line of work, Instructables user [Harrymatic] sees a lot of Toshiba laptops come across his desk, some of which are protected with a BIOS password. Typically, in order to make it past the BIOS lockout and get access to the computer,  he would have to open the laptop case and short the CMOS reset pins or pull the CMOS battery. The process is quite tedious, so he prefers to use a simpler method, a parallel loopback plug.

The plug itself is pretty easy to build. After soldering a handful of wires to the back of a standard male D-sub 25 connector in the arrangement shown in his tutorial, he was good to go. When a laptop is powered on with the plug inserted, the BIOS password is cleared, and the computer can be used as normal.

It should be said that he is only positive that this works with the specific Toshiba laptop models he lists in his writeup. It would be interesting to see this tried with other laptop brands to see if they respond in the same way.
Since no laptops are manufactured with parallel ports these days, do you have some tips or tricks for recovering laptop BIOS passwords? Be sure to share them with us in the comments.

Here’s a guide for recovering protection passwords from ATA hard drives (translated). These passwords are stored in a special area of the hard disk that also contains the firmware for the device. Normally you can’t get at them but [Supersonic] walks us through a method used to grab the data off of a Western Digital Scorpio drive. Booting into a program called MHDD you are able to bypass the BIOS (which won’t allow you to read protected data) and directly drive the SATA or PATA controller on your motherboard. Once you’ve dumped the data it can be viewed with a HEX editor, and if you know where to look you can grab the passwords that are locking the disk.

This reminds us of some of the original Xbox hacks which used a variety of methods to unlock the stock hard disk.

[Jair2K4] is using his unique RFID tag address as an online password. We’d bet that if you went far enough to get an implant in your hand you’d continually search for a reason to use it. Wanting to do more than just start his car with a wave of the hand, he built an interface module out of an Arduino and a Parallax RFID reader. Using a program called AAC Keys on Windows 7 he emulates a keyboard using the input from the Arduino. When it comes time to login he types his username and parks the cursor in the password box. By holding the RFID implant next the reader, the ID is dumped as the password, along with a newline (might be a carriage return, we’re not certain) character which submits the login. Take a look for yourself after the break.

On the one hand, nobody will be able to steal his tag as easily as they could steal one that is on a key ring. But we know RFID is rather notorious for a false sense of security. As long as you’re not using it for state secrets we think it’s a nice solution.

Update: After reading the comments on this feature, [Jair2K4] made some changes to his code. It now reads the tag and verifies it with stored data, then spits out whatever password you wish (making it easy to change passwords from time-to-time). He also added servo control to the sketch.

[Ben Kurtz] is doing a little WEP cracking but in a bit of a different way than we’re used to. WEP cracking makes us think of war driving; driving around with your laptop open, looking for WiFi access points, and stopping to run some software when you find them. [Ben's] way is similar but different in one key way, he’s using an iPhone as the frontend.

This started as a way to find a use for some leftover equipment. He threw together a Linux box and loaded up Aircrack-ng, the software we often see used in penetration testing. To remove himself from shady-looking activities in public he coded a web interface using the Python package Turbogears. It uses screen, a program often used with SSH to run services concurrently in different terminals, with the option to disconnect without stopping the processes. Now it’s just a matter of parking the hardware near an AP, and doing the work in a browser on your mobile device. You can check out the script he wrote, as well as installation instructions, in his post linked above.

[Thanks Tech B.]

[Note: Banner image not directly related to this post]

[Dogbert] took a look at the security that goes into BIOS passwords on many laptops. He starts off with a little background about how the systems work. People are bound to forget their passwords, so when you enter a wrong one three times in a row you get a message similar to the one above that locks you out until all power is removed from the system (then you get three more tries). But check out that five-digit number in the picture. That’s a checksum of the password. Some BIOS versions display it automatically, some require you to hold down a certain key during POST, but it’s the pivotal data needed to crack the password.

[Dogbert's] post doesn’t go into verbose detail about the algorithms he uses to brute force the passwords. But he has posted the Python scripts he uses to do so. Learning how to generate the passwords based on the checksum is as simple as studying the code, which is often the best way to learn.

Recently, research students at Georgia Tech released a report outlining the dangers that GPUs pose to the current state of password security. There are a number of ways to crack a password, all with their different pros and cons, but when it comes down to it, the limiting factor in all of these methods is processing complexity. The more operations that need to be run, the longer it takes, and the less useful each tool is for cracking passwords. In the past, most recommendations for password security revolved around making sure your password wasn’t something predictable, such as “password” or your birthday. With today’s (and tomorrows) GPUs, this may no longer be enough.

Although the article never mentions them by name, the newest tools in password cracking are based around two tools, nVidia’s CUDA and AMD’s Stream SDKs. These tools allow programs to be written in C that can be broken up and utilize the parallel nature of the hardware that is usually optimized for graphics. GPUs are much better at large-scale mathematical operations than CPUs because of this parallel layout. Chances are, if you have a somewhat recent graphics card, it is probably compatible with either CUDA or Stream, and if you already know C, you have all the tools necessary to get started.

The lesson to learn here, the longer or more complex a password is, generally the safer it is. Because of this, a number of tools, both software and hardware, may become more and more popular, or necessary, to accommodate this need.

This little box remembers all of your user names and passwords. Inside you’ll find an Atmel AT89S5131 microcontroller which has built-in USB capability. When the box is plugged into a USB port it identifies as a keyboard. Manipulating the buttons on the top and side will select and print out various stored usernames and passwords. Passwords are generated on-chip from a random seed and the device itself requires a passcode after power up as a security feature.

[SigFLUP's] included a pretty nifty configuration algorithm. It doesn’t rely on a terminal connection, since the device is a keyboard you can communicate with it in an editor window (which should make it platform independent). There’s no code available, but trying to write your own to the spec outlined in the demo after the break will make for a fun weekend project.

(We almost made it to the end of the post WITHOUT saying “Setec Astronomy“)

Irongeek.com is hosting an online class on password exploitation. The event was a fundraiser called ShoeCon, but they are hosting the entire series for everyone to share. Not only are the videos there, but you can download the powerpoint slides as well. There is a massive amount of information here on various topics like Hashcat, OCLHashcat, Cain, SAMDump2, Nir’s Password Recovery Tools, Password Renew, Backtrack 4 R1, UBCD4Win. There’s so much info, they split it into 3 sections. The videos are fairly long, between 1 and 2.5 hours each. What might surprise people is the amount of time that google is actually one of the main tools.

These videos can be a fantastic resource for hobby hackers, IT admins, and security professionals.

We’ve seen some ways to bypass biometric security measures but here’s a new offering that we think will be hard to fool. The Safelock system is used in conjunction with a password to identify a specific user. This software records your typing style including the time between keystrokes, the time keys are held, and key pressure data. This information is then normalized and compared to the information stored about the user when the password was originally set. If you don’t fall within specifications that match the stored data, you won’t get in even with the right password.

The icing on the cake is that Safelock will look for malicious users. If you enter the wrong password, it will begin to record and analyze your typing style. If you make enough incorrect attempts you will be labeled as a security threat and locked out of the system altogether. We can only think of one reliable way to circumvent this and that’s using a man-in-the-middle method of recording the keyboard inputs of the legitimate user for playback later.

This is an innovative user identification system and we’re not the only ones that think so. [Jeff Allen] and [John Howard], students at SMU won first prize for the Student Innovation Contest at the 2009 User Interface Software and Technology Symposium.

Did you forget your hardware-based password and now you’re locked out? If it’s an IBM ThinkPad you may be in luck but it involves a bit more than just removing the backup battery. SoDoItYourself has an article detailing the retrieval of password data from an EEPROM.

The process is a fun one. Disassemble your laptop. Build a serial interface and solder it to the EEPROM chip where the password is stored. Connect this interface to a second computer and use it to dump the data into a file. Download a special program to decipher the dump file and dig through the hex code looking for something that resembles the password. Reassemble your laptop and hope that it worked.

We know that most people won’t be in a position to need a ThinkPad administrator password, but there must be other situations in which reading data off of an EEPROM comes in handy. What have you used this method for?

As far as password recovery utilities go, Cain & Abel is by far one of the best out there. It’s designed to run on Microsoft Windows 2000/XP/Vista but has methods to recover passwords for other systems. It is able to find passwords in the local cache, decode scrambled passwords, find wireless network keys or use brute-force and dictionary attacks. For recovering passwords on other systems Cain & Abel has the ability to sniff the local network for passwords transmitted via HTTP/HTTPS, POP3, IMAP, SMTP and much more. We think it is quite possibly one of the best utilities to have as a system administrator, and definitely a must have for your toolbox.

It’s great in this day and age that browsers can remember our passwords for us, allowing us cross-site security without the hassle of memorizing a million different random passwords. It’s great, that is, until we forget our master password. Fret not, though; there is a solution. The folks over at Lifehacker show us how to use FireMaster to recover forgotten or misplaced Firefox master passwords. Perhaps a better solution is to just store those tricky passwords where nobody will find them.