Tuesday, 7 June 2011

How a cheap graphics card could crack your password in under a second | PC Pro blog

Posted on June 1st, 2011 by Jon Honeyball

How a cheap graphics card could crack your password in under a second-->

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet?

Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.

Yes, you can force your users to have a 15-character password consisting of random numbers and letters, and throw in punctuation as well. This is great as an idea, but we know that most users think that a password like “Barry1943Manilow” where 1943 was the year he was born, is complex and hard to remember. Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet? Or stuck to the side of the screen? Because anything much less than this is going to be open to attack over the next few years.

A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention. Nor has Microsoft, frankly, who should be having a whole raft of alternative, hardened solutions in place ready for its business customers to roll out.

What are the solutions? To be honest, I’m not sure. A combination of TPM, biometrics, passwords and maybe something else entirely new will be needed. But it’s clear that a complex password that users will actually accept for day-to-day authentication, and keep secret, might be history

Flickr - projectbrainsaver

www.flickr.com
projectbrainsaver's A Point of View photoset projectbrainsaver's A Point of View photoset