heise Security 06 December 2012
At the Passwords^12 conference, Jeremi Gosney presented a GPU cluster that enabled him to check 180 billion MD5 hashes per second. With SHA1, Gosney still managed to check an impressive 63 billion hashes per second. More elaborate hashing algorithms can withstand such (brute force) attacks much better: Bcrypt and Sha512crypt only allowed the researcher to check 71,000 and 364,000 combinations per second.
Gosney achieved peak values with LM and NTLM hashes, which are used for authentication on old Windows versions and are also supported on Windows 8 and Windows Server 2012 systems to maintain backwards compatibility. At 348 billion NTLM combinations per second, a password of 8 characters can be cracked in under 6 hours. With the weaker LM hashes from the days of Windows NT, a rate of 20 billion combinations per second means that a strong 14-character password takes just 6 minutes to crack.
http://www.h-online.com/security/news/item/Password-cracking-in-record-time-with-giant-GPU-cluster-1763322.html
