On 02/04/2015 02:08 PM, Lamar Owen wrote: > > 3.) Attacker uses a large graphics card's GPU power, harnessed with > CUDA or similar, to run millions of bruteforce attempts per second on > the exfiltrated /etc/shadow, on their computer (not yours). > 4.) After a few hours, attacker has your password (or at least a > password that hashes to the same value as your password), after > connecting to your system only once. Oh, and the program to do this can be found very easily. It's called 'John the Ripper' and has GPU support available: http://openwall.info/wiki/john/GPU https://en.wikipedia.org/wiki/John_the_ripper Again, the real bruteforce danger is when your /etc/shadow is exfiltrated by a security vulnerability of the type that allows arbitrary remote code execution or arbitrary file access. Once the attacker has your /etc/shadow, there is absolutely nothing you can do to keep said attacker from cracking your passwords at full speed. Well, nothing except the password strength itself.