Password crackers have a surprising secret weapon

How can you defend against a new line of attack?

Among the oft-cited weaknesses in using passwords for authentication are that people choose bad, easily guessed passwords, such as “123456” or, even, “password.”

But even carefully chosen passwords are not enough, at least if they are too short, according to researchers at the Georgia Tech Research Institute. The reason: graphics processing units, which are powerful enough to conduct quick, effective brute-force attacks on password-protected systems.

GPUs traditionally have been used in graphics cards to render screen displays on PCs. But they also can be used to accelerate some applications, especially those involving floating-point operations. Apple’s Snow Leopard and Windows 7 operating systems are designed to hand off some processing chores to the GPU.

In a post describing their research, the GTRI team (researchers Joshua Davis and Richard Boyd, and undergraduate researcher Carl Mastrangelo) said they have been using a commonly available graphics processor to test password strength.


Related stories:

Revealed: Our picks for best password strategies

Password management’s secret ingredient


"Right now we can confidently say that a seven-character password is hopelessly inadequate,” Boyd said in the post, “and as GPU power continues to go up every year, the threat will increase."

The researchers pointed out that GPUs have been amped-up over the years to handle increasingly sophisticated computer games, and in the process have achieved the power of a mini-supercomputer. Some GPUs today, even those that typically cost less than $500, can process information at a rate of nearly 2 teraflops, or two trillion floating-point operations per second. Ten years ago, the fastest supercomputer in the world, built at a cost of $110 million, ran at about 7 teraflops.

Developers began adapting them to other uses after Nvidia – one of two companies, along with AMD’s ATI, that control essentially the entire GPU market – in 2007 released a software development kit that allowed developers to program a GPU using the C programming language, the researchers said. “If you can write a C program, you can program a GPU now,” Boyd said.

And one of the programs they can be used for is password-cracking.

Brute-force attacks, in which a program tries to guess every possible combination until the right one turns up, have been around a long time. But the relatively new ability to use GPUs, which are designed as parallel processors, for brute-force attacks could put a lot of password-cracking power into the hands of a lot of people. Some of whom might not be honest.

The length of a password is important in preventing cracking, Davis said in the post. Any password with fewer than 12 letters, numbers and special characters will soon be ineffective, if it’s not already. Like many readers who responded to our request in May for password tips, he recommended pass phrases – sentences, including upper and lower case characters, symbols and numbers – as a way to avoid having passwords cracked.

Many Web sites and networks defend against brute force attacks already by limiting the number of incorrect log-in attempts, blocking out users after a set number of failed attempts. The downside of the approach is that an attacker could cause a denial-of-service attack by deliberately locking out authorized users, according to the University of Virginia’s System Administrator Database. An attacker also could use the responses from lock-outs to determine the names of authorized users, because only legitimate accounts can be locked out.

Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Wed, Aug 18, 2010 Jeffrey A. Williams Frisco Texas

The fact that 7 character passwords are inadaquate has been known for over two years now. So also is 256k key lengths for PKI Certs inadaquate. Seems though that neither NIST or the IETF yet ready to admit same. So as a result the false positive that the current threat level has been or is being met is of course evident.

Tue, Aug 17, 2010 Eirik Iverson Chantilly, Virginia

Ultimately, the success of any security service hinges on authentication. The blog post below is something of a classic: http://www.blueridgenetworks.com/securitynowblog/all-security-depends-on-authentication So, passwords are easily cracked as this article illustrates. Combine the article with the notion of a botnet (thousands) of these computers and you thus see the state of the art. As a 'high assurance' security vendor, as opposed to one that just plays one on 'marketing content', nearly all uses of authentication in our products are PKI-based. Those of you concerned with HSPD-12 must know PKI: public key infrastructure. It is the strongest form of authentication commercially available. And when employed in a mandatory, mutual manner, it is essentially uncrackable. Contrast this with one-time pass code authentication (e.g., keyfob that displays six characters), which is only one-way (i.e., authenticates client for server but does not authenticate server for client) and subject to man-in-the-middle attacks. So, the management plane of all our products is secured by PKI. Our remote access VPN and our new Pixie (virtual endpoints for clean/secure access) PKI based. The key exchange process for our VPN technology is enveloped within PKI. Even our enterprise software designed to stop the zero-day malware attacks that your antivirus cannot...uses PKI to secure policy updates and event logs. Its everywhere! Everything we develop is PKI based. While this sounds 'nice' from a security perspective, the real value in designing PKI based authentication into tools and workflow processes from the very beginning is how little end-users actually have to see anything PKI. The best security is invisible. And when customers that have used our products say they didn't realize our product used PKI, we're deeply gratified. Walk away point: look for PKI in all you need. Anything worth stealing that relies solely on passwords is probably cracked already. Cheers, Eirik

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above