Home / News / Software News / Powerful Graphics Cards Render Passwords Vulnerable

Powerful Graphics Cards Render Passwords Vulnerable

by

Powerful Graphics Cards Render Passwords Vulnerable

Graphics cards could be used as virtual battering rams to crack the majority of passwords thanks to their incredible parallel processing ability, a team of researchers has claimed.

A group of Georgia Tech researchers has stated that graphics cards now have so much power they can be used to work out many common passwords simply using mathematical brute force, potentially causing a serious security issue in the near future.

"Right now we can confidently say that a seven-character password is hopelessly inadequate - and as GPU power continues to go up every year, the threat will increase," Richard Boyd, a senior research scientist at the Georgia Tech Research Institute has claimed.

Increasingly, GPUs are not just being used for gaming, but also for High Performance Computing (HPC), where huge amounts of data need to be processed in parallel – something that graphics cards are very good at doing.

Since nVidia released its CUDA programming language, and ATI followed up with Stream, it’s been possible to write code to program a GPU directly, enabling full use to be made of the trillions of floating point operations-per-second capabilities of modern graphics cards. This ability to perform an incredible number of repetitive tasks simultaneously using multiple stream cores makes GPUs ideally suited for brute force number cracking, as they can be programmed simply to try one combination after another.

Easy-to-remember, lower-case passwords will be the first to tumble claim Joshua L. Davis, a research scientist working on this project.

"Length is a major factor in protecting against brute forcing a password," Davis said. "A computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times."

Adding length, upper case letters, numbers and even symbols will therefore help protect your password. With programs designed to crack codes freely available online, and the availability of relatively inexpensive GPU hardware, it makes sense to start upping those defences now.

Link: GPU Password cracking case study.

Kaurisol

August 16, 2010, 1:46 pm

While I agree with the thrust of the article - longer passwords that are a mix of upper/lower case, numerics and symbols - there are a couple of problems.





1. Not all password fields will allow symbols / special characters


2. If you have passwords that are too long then people tend to either forget them or standardise on a small set and use them everywhere (I know - I have).





Another option would be two part passwords - depending upon the nature of the password usage, although having to carry multiple dongles to generate numeric codes depending upon where you are can be a pain (particularly if multiple sites use the same dongle type!). Paypal seem to have a reasonable compromise where you receive a text with a time-restricted 2nd part to your password - and a means of bypassing it if you haven't got your phone with you.

Andrew Marshall

August 16, 2010, 2:48 pm

Interested in this story, I followed the link to the Georgia Tech website, only to find a departmental press release that is basically an expanded version of this article. It contains no links to any actual published research that might explain how a GPU can be used to generate rainbow tables significantly faster than, say, a cluster of CPUs. In summary, what is there here that's new?

Toukakoukan

August 16, 2010, 4:11 pm

Personally I think the computer industry is still suffering from 1980s password length limitations through our choice of the word passWORD rather than passPHRASE.


The longest word I know of is floccinaucinihilipilification, which is 29 chars and bloody hard to spell.


However, a phrase such as "Sally went to the shops to buy some milk." is 41 chars including spaces and /much/ easier to remember.

Geoff Richards

August 16, 2010, 4:26 pm

@Toukakoukan: you're right, and one technique is to use other characters to separate words in a passphrase. For example, it could be as simple as Sally1Went2To3The4Shops5To6Buy7Some8Milk (added caps for strength). If 1234567 is too obvious, some people introduce more randomness by using the numbers from a birth date, or even a telephone number.





I did read somewhere, however, that l33t-speak is not very strong at all, so using "p4ssw0rd" instead of "password" won't save your bacon.

Old Pedantry

August 16, 2010, 4:46 pm

There's something I'm clearly missing about this. If I enter a wrong password three times at work I am locked out from my account and I have to speak to someone to verify who I am and get it unlocked. Same is true of my online banking. Even my 12-year-old car has a radio with a 4-digit pin - get it wrong, and you have to wait 15 minutes. Get it wrong again and you have to wait half an hour, then an hour, and so on. I don't care if a GPU can whizz through zillions of password attempts if the *server side* security will prevent any more than three being tried. It might be a pain finding my account has been locked and having to verify myself, but the whizzy-whizzy-GPU-tech will *still* need more than a password to get access to my account. A "good enough" password is just as strong as it was before.

supamario

August 16, 2010, 5:31 pm

hmm I've never understood the danger brute force poses.. Dont most systems (ones worth protecting anyway) block the user after 3 incorrect attempts?

Karl Buckland

August 16, 2010, 5:52 pm

@Geoff Richards - l33t-speak does help a fair bit, as you're including numbers and breaking out of using dictionary words.





Pass phrases are definitely a better way of doing things.





A great website to test the security of your password: http://howsecureismypasswor...

the near side

August 16, 2010, 5:58 pm

Using words makes it easier to crack passwords. Try using the first letters of a line in a song? Use mixed case, and then vary it a bit for different systems, by adding a couple of digits etc.


What about the Norton-style safe (there are other suppliers)?

RPJ

August 16, 2010, 6:06 pm

Some good suggestions here. Thanks.





It's often said that changing passwords regularly improves security but I've never seen a logical explanation why. Has it ever been proven?

kdot

August 16, 2010, 6:27 pm

or just dont remember your password and use something like lastpass, letters, numbers, uppercase, lower case, special characters and no repetition if you so wish and you can go up to 32 chars (ithink) with no worries.

Toukakoukan

August 16, 2010, 7:13 pm

Brute force is only really feasible if the hackers get access to the hashtables (the 'encrypted' version of your password as it's stored in the website's database).


But if they've got access to that then they can just use rainbow tables like Ophcrack which will allow standard computers to crack unsalted passwords up to 16 characters very easily.





It's certainly not unheard of for hackers to get access to these tables. While it's rare for high-profile sites that care about their security to become compromised, if you use the same password on all websites then all it takes is for one insecure website you signed up to on a whim to be compromised and then suddenly the hacker has your email account password!

AJ

August 17, 2010, 1:40 pm

I'm in agreement that there is no panic and nothing has changed. As stated above, any site of any merit will always lock an account after 3 tries. Then you need it reset.





Obviously people do use the same password over and over (there are too many sites not to), but as long as though they don't then use the same one for banking / anything important then they will be fine.





The worst practice that I've seen, and this happens all the time on the net (even in 2010!) is that you sign up for an account and the system sends you an automated plain text email confirming yout User Id and your Password !! That really p1sses me off.





I even had a reminder from someone like PhotoBox/Bucket the other day saying "You haven't logged in for ages here are your user_id and password in case you've forgotten them". OMG...!





Where this article does apply is if you have local files with passwords on them. Word, Excel, ZIP, etc. Those are so insecure now (to anyone who knows what they are doing) that passwords are merely there to stop the casual observer and offer no real security at all.





One last thing on security... I really wish that someone would build security into email clients. Something as simple as being able to select a contact in Outlook and specify a key for that user. All mail to that user would then be heavily encrypted using that key. I guess they don't do it because there's a few idiots out there that would use it to communicate things they shouldn't; but I'm assuming too that those people already know how to encrypt comms. It's like guns in the UK, all the bad guys have them and know how to get them; none of the good guys do....

kingosticks

August 20, 2010, 5:07 pm

I got the same reminder email from PhotoBox/Bucket, replied and told them what I thought and got a truly inspiring "sorry" back from them. Needles to say I closed my account and I hope you did too.

comments powered by Disqus