GPUs democratize brute force password hacking
By Joseph L. Flatley 
posted August 16th 2010 4:11PM
posted August 16th 2010 4:11PM
It seems that the availability of increasingly powerful GPUs, when combined with brute-force password cracking tools, is making it increasingly easy to crack passwords -- even if they're extremely well thought out, with symbols and quirky capitalization and all that. How short is too short? According to computer scientists at the Georgia Tech Research Institute, "a seven-character password is hopelessly inadequate, and as GPU power continues to go up every year, the threat will increase." A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits. Of course, processors are only getting more powerful and hardware less expensive -- soon even seven-plus character passwords may become the digital equivalent of unlocked doors. And if that weren't bad enough, a recent study by an Internet security company called BitDefender has determined that some 250,000 user names, email addresses, and passwords used for social networking sites are freely available online -- and seventy-five percent of these folks use the same password for their email and social networking. So, when dreaming up fancy new twelve character passwords, make sure you're creating unique passwords for all your various accounts. It would be a shame if your Starsky & Hutch FanFicForum account left you vulnerable to identity theft.
@murraj2
Brute force attacks on passwords are usually performed by someone who has gained access to a hashed password file via some other exploit. The hacker attempts to detect the passwords in the hashed file by applying the hash algorithm repeatedly against various candidate passwords until a match with one of the values from the file is found. Typically there is no need for the hacker to make multiple attempts at authenticating against the actual server that is being attacked (since the hacker runs the hashing algorithm on his/her own hardware). Therefore, password lockouts do not really prevent this type of attack.
@murraj2
I figured it was for making rainbow tables or collisions after they got your hash, not for trying to login to facebook 10 trillion times.
@d0mth0ma5 Yeah, but password lockouts are the best solution. Maybe 5 times, maybe six times. Any sensible webservice (check Gmail, Google Docs, etc) will have a password lockout. Also, if it catches an IP going at a brute force technique, it'll probably block that IP.
@d0mth0ma5
So make it 5 seconds after 10 wrong attempts or even 100 wrong attempts. Or just make it 1 second per attempt. Either way you'll prevent a brute force of your password.
Besides relying on a single factor of authentication is dead at this point. Much easier to get a trojan on your machine at which point a 1024 character password thats full of upper case, lower case, letters, symbols and numbers is worthless.
@murraj2
Yeah, I can't think of a single online service that's going to let a user try guessing a password 5 times, much less thousands.
What does this actually apply to? Situations where someone has physical access?
@murraj2 True, the only escape is to be boring and poor.
@engadgethead WEP, WPA passwords. I've never seen a wireless network with a lockout mechanism. WPA doesn't even need to be actively pinged on. Just hang out until you capture someone logging in, then go home and crack at your leisure.
Isn't this just all the more reason to use biometrics, instead of archaic text passwords?
@Tpebop
How exactly do you propose I use that instad of online passwords?
If you mean having a local device to check who I am and tells the server. That wont solve anything because instead of cracking passwords they will just crack the encryption on the devices. In the end its all 1s and 0s.
@Tpebop
Yes. I want to use eye-retina scans, fingerprint scans (make them easier to use guys -_-), or even that cool "screen the face" authentication in Windows 8.
@Tpebop
Good luck changing your biometrics if your security is compromised
The bad part about long, secure, complicated passwords is that they're easy to forget, and once you do so you've effectively performed a DOS attack on yourself.
I also don't really see the point of password managers since they depend on some master credential, which leaves the user at square 1 with a single point of failure for his entire security/identity.
Clearly a new security paradigm is necessary.
@LANjackal Blood? No, hospitals would make a fortune on Credit Card Fraud.
hunter2
@einhanderkiller:
So if I copy and paste that into this comment, it should show up as asterisks, right?
qwerty never fails!
Unnecessary fear spreading here. Who cares if your GPU can check 100,000 passwords per minute when a sensible password checkpoint will only allow a few tries per minute at best?
@acceptablerisk
Exactly. This makes no sense at all. It does make sense for encrypted files and partitions though, but I would assume anybody in the right mind would use a very complex passwords used for encryption. 20-30 symbols at least.
@acceptablerisk It's not unnecessary at all. No one is really trying to brute force a website directly. They're usually just finding sites with exploitable software and dumping all of the user login information from their databases. For security the password is usually stored as a salted hash value. MD5 is a popular hashing algorithm. At one time this was considered to be very secure system. Not anymore, an ATI 5970 can now brute force plain md5 hashes at a rate of over 5 billion hashes a second. Add the fact that most people use the same password everywhere and this can cause a lot of problems.
Um... Am I the only one that noticed this?
"to go up every year, the threat will A better alternative, "
One sentence ran smack-dab in the middle of another one. Not trying to be a jerk or anything, but stuff like this makes the article harder to read and take seriously.
On Topic: Lanjackal is correct in the fact that long password, while secure, are more likely to be forgotten, screwing over the user. If you use a password that is easy to remember but short, it can be easily hacked.
Damned if you do and damned if you don't. Gota love the digital age right?
@GumbyX I think it's just a missing period. Put a period after "will" and it starts to make sense.
@popepeter No there was a missing word. It's been fixed.
".....to go up every year, the threat [B]will[\B] increase." A better alternative......"
@GumbyX ga... forget the bad attempt at bolding the font. Forgot Engadget doesn't allow for HTML formatting :P
There's a Starsky & Hutch fan-fiction forum!?
Hmmm... How are you going to brute force web resource password? After a couple of attempts you'll be locked out. But even if you are not, you only going to be able to try a couple a second at most. So, who cares if you have an ability to do a billion a second in theory?
For all your password needs:
https://www.grc.com/passwords.htm
@dicobalt - I always use www.justfuckinginventapasswordeveniwontremember.com
@dicobalt hes most likely recording every password generated, too. very secure!
Their GPU will do nothing against the safe in my basement filled with cash
@jebo4jc i guess u havnt heard about the 512 sp fermi
unless ur safe isnt made of uber steel then tough luck
@jebo4jc Pfft.. I just gotta take the fan off of my GPU and put it on your safe. Give it a couple of minutes of crysis, and it'll melt clean through... say bye bye to your cash!
Everyone knows that a 6 char password is useless anyway. Right guys?
I currently use Lastpass to generate 27 char passwords. A lot of sites wont accept passwords that long, and they don't say how many password chars is the max, so I just keep scaling them down and regenerating until it accepts it. I have found the average to be around 17 chars. So it's a little more secure than a six char password.
http://en.wikipedia.org/wiki/Order_of_magnitude
A lot of sites won't even let you use passwords12 digits long.
@cptcrackers sites require a web request per password attempt, this is taking like 300ms in good cases. that's a few hundred of thousand years for any good password of 6 chars.. no matter the power behind the machine.
it's only useful for local cracking
@zob Expect that most hacking isn't done thorough actual websites. Often a hacker will gain control of a website through sql injection and dump a copy of everything where they can start chipping away at MD5 hashes for your passwords.
@cptcrackers
The stupidest ones I've seen are the ones that force you to a specific number of characters. For example: eight, no more, no less.
Having (or being) an open id provider and using it only with a certificate "suddenly" doesn't seem like a bad idea.
This isn't news just like rainbow table password cracking isn't. Pre vista windows passwords below 14 characters can be cracked almost instantly due to a weakness found too.
The issue isn't as big as described though most passwords are for websites which should be stopping more than say 3 wrong attempts then you can't log in for a few minutes then a few hours... windows can do this too. So that just leaves passwords for stuff like zip files.
http://www.passwordcard.org/ is a pretty cool idea.
This may be a really dumb question, but isn't the solution to brute force cracking to lock the account after three failed login attempts? You know, the way every single website does?
And - what is wrong with "3 tries and you're out" kind of thing - maybe with a "15 consecutive wrong tries in some given period - like a week or something - and you have to contact them to change password" etc, etc... for example.
I mean - brute force only works if you have unlimited attempts - even with the bestest GPU.
I've got three different passwords. One for my bank (which even if they got it, there's not a lot you can do on the website anyway other than move money around withing my own accounts), one for my email, and one for all the random website accounts that I could care less if they got a hold of. "Oh no, you got access to my engadget profile! Now they can log in to all the other lame web blogs and message boards as me!"
Either you're not checking all combinations or that's BS. Upper+lower+numbers+symbols is at least 82 characters. 7^82/6200 is still slightly over a million hours.
@noisymime Isn't it 82^7?
I don't get it, does the GPU have to be on the system being forced?
==.=="
using GPU for cracking ain't new...
Passwords need to start being things other then just passwords. Like a password AND a captcha to sign in. That would stop that cold.
Increasing password length and complexity is not the answer
What happened to biometrics or retina eye scan for passwords? (either I read that in some computer magazine, or thinking movies will soon turn into real life)