A 25-GPU Monster Cracks Passwords in OpenCL

25 Radeon GPUs to Crack Password in OpenCL

The researcher and password cracker @epixoip has demonstrated a password cracking with 25 Radeon GPUs coupled with OpenCL. To control all GPUs, a technology called Virtual OpenCL or VCL has been used. VCL makes remote GPUs in a LAN appear as if they were local and is based on OpenCL 1.1. The password cracking tool is a modified version of oclHashCat.


The cluster that has been use to crack the passwords is made up of four 4U servers:

  • one server with 10X Radeon HD 7970 (total: 10 GPUs)
  • one server with 4X Radeon HD 5970 (total: 8 GPUs)
  • one server with 3X Radeon HD 6990 (total: 6 GPUs)
  • one server with 1X Radeon HD 5870 (total: 1 GPUs)

This cluster can process 348 billion NTLM password hashes per seconds and can break any 8 character password (95^8 combinations) in 5.5 hours.


LM Is what is used on Win XP, and LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing — so we only have to crack 69^7 combinations at most for LM. At 20 G/s we can get through that in about 6 minutes. With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours

You can download the complete presentation of Virtual OpenCL + password cracking here:
Download Password cracking Virtual OpenCL (PDF)



  • Promilus

    “Somebody doing useless job”
    Well, unlocking SL3 locked phones is quite profitable. So is cracking rar passwords.
    There is market demand for such things so I would not call it useless.

  • LBX

    @ANDROID, We use passwords for almost anything on a daily basis, and you just think it’s useless to analize how secure they are?

  • I thought he meant that does the world really need more stuff that can be used for stealing shit?

    Sorry, but i don’t buy the “i forgot my 10 char password and now i can’t access my grandma’s kitty videos so please help me to crack this .rar” stories…

  • *think he meant

    (In before the grammar nazis :) )

  • Promilus

    “I thought he meant that does the world really need more stuff that can be used for stealing shit?”
    Stealing? So I guess main purpose of Office Password Recovery, Archive Password Recovery, Elcomsoft Wireless Security Auditor etc. etc. is theft? Oh wait. It isn’t. Those tools are used by large corporations and medium business but hey, who am I to argue with u.

  • samsi

    so how many hours does it need to crack my 36 chars password?

  • Promilus

    “so how many hours does it need to crack my 36 chars password”
    way too many.

  • shastar

    “so how many hours does it need to crack my 36 chars password”

    Depends on what your characters you use in your password. If you have “aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”, you can crack it easily with a Ninrendo 8-bit.

  • Juan

    Actually, cRARk only supports 28-chars passwords.
    but with only $a = [a] $a * .def
    HD7970 does 28 “a” char.passwords in 0.51 seconds.
    with $a = [abcdefghijklmnopqrstuvwxyz] takes a bit longer, but in 1min gets into 5-char password territory, with $a $A $1 $! * takes >2 hours to get into the 5-chars.territory.

  • Juan

    this 25-GPU monster is a “home made monster”, imagine what the US goverment could have hidden… with unlimited budget, a 500K GPU monster. in 1991 the NSA had a 256 node parallel processing computer, in 1993 had 512 nodes, was retired on 1997, & now is on display at the National Cryptologic Museum.

  • Promilus: who am i to argue with u? Good question as neither of us give a f*** about who’s the other dude, right? Luckily, it’s not the point of this site anyway.

    Btw i’m working at one of those large corporations and for securing data we use PKI keycards and stuff, so good luck cracking those with brute force password recovery tools. Tools like this are good for cracking archive files and private mailboxes, nothing else. Ergo i still prefer calling it a RIPOFF.

  • steve

    Smaks that password rar files content that do not own and then post commercial links with it in order to get password should be shooted !!! They can password their own ”Johnson” in order newer to have sex again !!!! I my self use 30 or more character passwords and now crack it if you can but this is simple protection one can use strong password encryption that is unbreakable ! The only way to crack it is to steal the password physically from user. So this is solution for weak passwords protection hack for for strongest ones one my use several cray’s or similar like NSA does !