GPU Crackers make Seven Character Passwords Inadequate

That’s the news from the Georgia Tech Research Institute. Using the power of a graphics video card processor (GPU) to crack passwords is not new news. But with the speeds that the GPU’s are reaching, they now have the ability to easily brute force up to seven character passwords.

According to the GTRI case study, “We’ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,” said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute (GTRI).

“Right now we can confidently say that a seven-character password is hopelessly inadequate – and as GPU power continues to go up every year, the threat will increase.”

So, how fast have Graphic Processors become? Today’s graphic cards can run at speeds approaching 2 Teraflops! Teraflops are used to measure processing speed. A teraflop is one trillion floating point operations per second. To put that speed in prospective, the fastest super-computer in the year 2000 could run at 7 Teraflops. And it was a $110 million dollar monster of linked computers. Now imagine all of that speed leveraged into brute forcing passwords. This is exactly what can be done with password cracking software based on the GPU.

How long should passwords be? According to the case study, “any password shorter than 12 characters could be vulnerable – if not now, soon.”

So, what do we do? According to an article on GCN, the best defense against this is to use sentences for your passwords. I whole heartedly agree and actually use this for my own personal passwords. Take something that means something to you and make a password out of it. Throw in a few special characters for added safety. For example:

MyV0lksw@genIsTheF@stestC@r!   (Don’t even try this on my systems, I am a MOPAR nut)

It is easy to remember because it means something to you. It is complex because it uses upper and lower case letters, symbols, a number and is very long.

GPUs will become faster as time goes on, so the time of using passwords alone to protect your systems may be at an end. The GCN article recommends using a two part system for authentication. “Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.”

The upcoming Windows 8 is supposed to have facial recognition built it. According to Windows8News, the feature will be called “My PC  Knows Me”.  The feature will provide enhanced login security, including facial recognition augmented with password or fingerprint authentication. The PC will also be able to detect when the user walks away and automatically place the computer into sleep mode.

Very amazing indeed, but I will not be impressed until the computer can detect your face, change your status to “busy”, pull up the latest news you like and automatically make your favorite cup of coffee.     🙂 

Want to know more? Check out these newer articles:

Cracking 14 Character Complex Passwords in 5 Seconds
No need to crack complex 20 character passwords, Just pass them