GPU Crackers make Seven Character Passwords Inadequate

That’s the news from the Georgia Tech Research Institute. Using the power of a graphics video card processor (GPU) to crack passwords is not new news. But with the speeds that the GPU’s are reaching, they now have the ability to easily brute force up to seven character passwords.

According to the GTRI case study, “We’ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,” said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute (GTRI).

“Right now we can confidently say that a seven-character password is hopelessly inadequate – and as GPU power continues to go up every year, the threat will increase.”

So, how fast have Graphic Processors become? Today’s graphic cards can run at speeds approaching 2 Teraflops! Teraflops are used to measure processing speed. A teraflop is one trillion floating point operations per second. To put that speed in prospective, the fastest super-computer in the year 2000 could run at 7 Teraflops. And it was a $110 million dollar monster of linked computers. Now imagine all of that speed leveraged into brute forcing passwords. This is exactly what can be done with password cracking software based on the GPU.

How long should passwords be? According to the case study, “any password shorter than 12 characters could be vulnerable – if not now, soon.”

So, what do we do? According to an article on GCN, the best defense against this is to use sentences for your passwords. I whole heartedly agree and actually use this for my own personal passwords. Take something that means something to you and make a password out of it. Throw in a few special characters for added safety. For example:

MyV0lksw@genIsTheF@stestC@r!   (Don’t even try this on my systems, I am a MOPAR nut)

It is easy to remember because it means something to you. It is complex because it uses upper and lower case letters, symbols, a number and is very long.

GPUs will become faster as time goes on, so the time of using passwords alone to protect your systems may be at an end. The GCN article recommends using a two part system for authentication. “Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.”

The upcoming Windows 8 is supposed to have facial recognition built it. According to Windows8News, the feature will be called “My PC  Knows Me”.  The feature will provide enhanced login security, including facial recognition augmented with password or fingerprint authentication. The PC will also be able to detect when the user walks away and automatically place the computer into sleep mode.

Very amazing indeed, but I will not be impressed until the computer can detect your face, change your status to “busy”, pull up the latest news you like and automatically make your favorite cup of coffee.     🙂 

Want to know more? Check out these newer articles:

Cracking 14 Character Complex Passwords in 5 Seconds
No need to crack complex 20 character passwords, Just pass them

21 thoughts on “GPU Crackers make Seven Character Passwords Inadequate”

  1. Yes, I believe so.

    I have even seen one financial company have you choose a favorite picture when you sign up. Then when you go to login, it asks you to pick your picture out of several random ones after you put in your password. I thought that was a good idea.

    1. All right Bro, I did some digging. I found a spreadsheet at ABS-Comptech that contains a password complexity calculator.

      Basically, a 7 Character complex password has 65,545,047,155,424 possibilites.

      I found that Elcomsoft (A Russian Software Company) offers GPU cracking software. According to the chart listed there, my Nvidia card (It’s a few years old) can crack about 349 million passwords a second. If my math is right it would take about two days. Newer cards are more than three times as fast as mine. If you have multiple video cards in SLA mode, it scales to use them all, significantly reducing the crack time. Also, the software can scale to use several machines. Wow.

      Here is the kicker, I forgot about a company called Objectif Sécurité from a post back in March that uses SD drives to crack passwords and they claim to be 100 times faster at cracking passwords than Elcomsoft. They offer a free web portal to their software that claims to be able to crack an XP password Hash that uses up to 14 characters in length in a few seconds.

      Scary indeed…

  2. oh man! thanx for looking that up for
    me! the guy im interning for wanted to know.

    i had a
    NetSec instructor who told me not to remember “passwords”. he siad to remembe “pass-phrases”, like, “TheC0wJumPed0verTheM00n”….

    1. No problem man, any time!

      Bro, one network engineer that I used to work with was fanatical about long passwords. He would use like 64 letter passwords on routers and admin accounts. He would just make up a goofy sentence that used that many letters so he wouldn’t forget it.

      It was a pain though when he wasn’t around you had to work on a server or router that he set up. You would be on the phone with him for 15-20 minutes just trying to get the password typed in right! 🙂

    1. I visited your site, it looks like it has some good information on building PC’s, video cards and chipsets.
      I must admit that I had to use Google Translate to read your page.
      My Great-Great-Grandfather was sent to the US from Germany as a War orphan after WWI. I have always wanted to learn German, I guess it is never to late to start! 🙂

      Thanks for visiting!
      D. Dieterle

    1. Interesting idea, I do have two problems with this technology though Matt.

      One, I can foresee that a lot of people will not want to give out their phone numbers to websites. Personally, I never give out my phone number, except on very rare occasions.

      Second, I use a VOIP phone for my main number. From the video it looks like VOIP phones may be blocked.

      Thanks for the heads up!


  3. Pingback: Anonymous
    1. Thank you for the comment indupal, many companies are moving from single authentication methods, like just using passwords, to dual or multiple authentication procedures.

      This usually entails a combination of security methods which could be passwords and biometrics, smart cards, usb keys or bluetooth authentication.

      In this case, if someone does crack your password, they would also have to work around your other authentication methods, which makes it much more difficult to gain access.

    1. Absolutely Vijay, and to think that you can use the power of the cloud to crack passwords – clusters of powerful machines with multiple high end cards – security may soon change very drastically.

      Thanks for visiting!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.