Passwords remain a ubiquitous method for securing access to systems and applications across the digital world. However, their effectiveness relies heavily on using strong passwords and robust storage mechanisms to protect against unauthorized access attempts. Attackers frequently try to crack passwords through techniques like brute-force guessing, exploiting common patterns, using dictionary words, or leveraging leaked password databases.

To counter such attacks, modern systems employ secure password hashing algorithms like sha512crypt that make reversing the hash computationally expensive. But with enough computing power, motivated attackers can still attempt to brute-force crack passwords in a reasonable time.

In a novel research effort, a team from California State University, Fullerton has proposed harnessing the massively parallel capabilities of Field-Programmable Gate Arrays (FPGAs) to accelerate password cracking against the widely-used sha512crypt algorithm on Linux systems.

Their approach centers around designing a custom hardware module that efficiently executes the sha512crypt algorithm, which involves repeatedly hashing the password and salt through thousands of rounds. By instantiating multiple instances of this module on the reconfigurable fabric of a single FPGA chip, they can exploit parallelism to boost the overall cracking performance.

Using high-level synthesis with C++ and the Zynq Z-7020 CPU-FPGA hybrid chip from Xilinx, the researchers implemented up to two sha512crypt modules on the FPGA portion. They compared the cracking speed in terms of passwords/second against highly optimized single-threaded implementations running on top-of-the-line CPUs like AMD's Ryzen 9 5900X and Apple's M1 Max.

The results showed that while the CPUs outperformed the dual sha512crypt module implementation on the modest Zynq FPGA, the researchers projected very promising performance gains by scaling to larger modern FPGAs. Based on the linear scaling observed with two parallel modules, they estimated that an FPGA accommodating 8 sha512crypt modules could outperform both the CPUs in cracking 10-character passwords. Moreover, with 15 parallel modules, the projected cracking speed was over twice as fast as either CPU.

The key advantage of the FPGA-based approach lies in the flexibility to instantiate custom parallel hardware modules tailored for the target algorithm. Traditional CPUs, on the other hand, are limited by the number of cores offered by manufacturers and can face performance bottlenecks from operating system overhead and resource sharing among concurrent processes.

While these initial results are encouraging, the researchers have outlined several future goals to further explore and optimize this FPGA-accelerated password cracking approach. These include optimizing the module design and layout to improve timing and fit more instances on larger FPGAs, moving the password guessing logic to the FPGA to eliminate CPU bottlenecks, and extending the approach to other secure password hashing schemes like bcrypt and scrypt.

They plan to target the Kintex Ultrascale+ KCU116 FPGA board, which could potentially accommodate around 12 or more sha512crypt modules based on their resource estimation, enabling empirical validation of the projected performance gains. Comparisons against parallel multi-threaded CPU and GPU-accelerated implementations are also on the roadmap.

This work underscores the potential of leveraging parallel hardware architectures like FPGAs for cybersecurity applications involving computationally intensive tasks like password cracking. While such capabilities could empower attackers to mount more powerful brute-force attempts, they can also benefit defenders looking to proactively identify and mitigate weak passwords within their systems.

As cybersecurity threats continue to evolve, exploring innovative hardware acceleration techniques could pave the way for more robust defensive mechanisms and a deeper understanding of the practical limits of widely-used cryptographic primitives and protocols.