Scientists claim GPUs make passwords worthless
By Stewart Mitchell
Posted on 13 Aug 2010 at 16:01
As high-end graphics processing units become increasingly widespread, basic passwords are no longer enough protection, say scientists.
The warning comes at a time when GPUs are increasingly used to calculate problems rather than simply process fast-moving graphics for computer games.
"We've been using a commonly available graphics processor to test the integrity of typical passwords," said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute. "Right now we can confidently say that a seven-character password is hopelessly inadequate - and as GPU power continues to go up every year, the threat will increase."
Right now we can confidently say that a seven-character password is hopelessly inadequate
According to the researchers, high-end GPUs can process information at nearly two teraflops - or two trillion floating-point operations per second - a figure that would have been unheard of in a personal computer a decade ago.
Back in 2000, the world's fastest supercomputer, a cluster of linked machines costing $110 million, reached its performance peak at just over seven teraflops.
The researchers say GPUs are quick at code cracking because they are designed as parallel computers, with different cores of the processor working on several problems at once.
Brute force
When Nvidia released a software development kit for its graphics cards, the company provided the tools for programmers to write directly to the GPU using C, bringing a host of new capabilities, including brute force attacks on passwords.
According to Georgia Tech research scientist Joshua Davis, brute force attacks no longer take a long time, especially if they involve short words consisting of lower case letters.
"Length is a major factor in protecting against brute forcing a password," Davis explained. "A computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times.”
Stronger passwords
Commercial operators in the security sector confirmed the Georgia Tech research, with some calling for so-called “strong authentication” that combines a user’s log in details with a one-time password generated on a hardware device, such as a mobile phone.
“Lots of people think that they have a solid password – over 12 characters long, including a combination of letters, numbers and cases to increase their strength,” said Christian Brindley, a technical manager with VeriSign Authentication. “However, passwords are simply not enough to protect sensitive information on their own.
“One method that has been proven to work is strong authentication, by a device such as a plastic token, credit card style device or even a mobile application," he said. "Once a second factor of authentication is introduced, the risk of account sharing and hacking of password reset tools is all but removed at source.”
From around the web
The obvious answer is to ensure that login processes build in a delay between attempted logins. A delay of 1 second would not cause any problem to a genuine user, but would make a brute force attack unfeasible, regardless of processing power.
By dgpeel on 13 Aug 2010 
@dgpeel - yes, and few systems will let you enter millions of password attempts before locking you out, if you're attempting to break in from an external location. The problem is when an attacker has access to the hashed keychain stored internally. Hashing is like a one way encryption system - there is no way back from the hashed value to the original password, so it is considered a secure way to verify passwords - store the hash value, then when the password is entered, work out the hash value for the entered password and compare the two. If an attacker can get hold of the hashed password, and has enough processing power available to try a large number of passwords (brute force - and this is where GPUs come in), then he can guess your password and break in. Databases of hashed passwords are used for user verification by many, many websites (it's pretty much de facto), and they can and do get compromised. Worse, since many users use the same password for lots of systems, if an attacker breaches one database and reconstructs passwords by brute force, he may very well also be able to access accounts with other, non-compromised sites.
By flyingbadger on 13 Aug 2010
Not an issue
As flyingbadger says, a hacker needs to copy the password database to crack it. On modern Unix or Windows servers, this requires administrative privilege - which would typically give a hacker free rein already, and let them log passwords no matter how complex they are.
A regular CPU is sufficient to guess some passwords in a few seconds, more in minutes and perhaps 30% in a few days. Using a GPU array would admittedly speed this up even more.
The solution here is not to move to absurdly long passwords that no-one can type correctly, but to eliminate the "idiot" passwords like "12345" and "changeme", and keep systems patched so that hackers cannot get root.
By adaviel on 14 Aug 2010
Yes it's an issue
@adaviel
One does not need to compromise the system and yet would be able - using plethora of available packet sniffers - to obtain the hashed password transmitted over the network (wired or not). GPU will indeed come very handy in brute forcing the password and gain access to the network.
By stasi47 on 14 Aug 2010
Multiple users...
For most (on-line) hacking of accounts, they will first get a list of valid user names (or generate a list of possible names), then try each password against each account, kicking out a list of those that are cracked.
By the time the next password comes around for the first account, several seconds or minutes have gone by, so timeouts and lockouts are less likely.
By big_D on 16 Aug 2010
Creating and remembering unique and complex passwords is not hard!
I worked in IT support earlier and I've seen it all. We had a nice password tutorial though at the helpdesk, which many of our clients appreciated.
Here is a tutorial on how to set up unique and complex passwords for each place you log in, and also be able to remember them all:
http://ht.ly/2r1nK
By torkil on 18 Aug 2010
Web browser passwords...
When you set the web browser to remember your passwords, and then protect the lot with a 'master' password - that would be my first target of attack.
By poglad on 20 Aug 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
