Researchers at the Georgia Tech Research Institute have found an unexpected tool for brute-force attacks on password-protected systems. Their findings: A seven character password is "hopelessly inadequate."
Among the oft-cited weaknesses in using passwords for authentication are that people choose bad, easily guessed passwords, such as “123456” or, even, “password.”
But even carefully chosen passwords are not enough, at least if they are too short, according to researchers at the Georgia Tech Research Institute. The reason: graphics processing units, which are powerful enough to conduct quick, effective brute-force attacks on password-protected systems.
GPUs traditionally have been used in graphics cards to render screen displays on PCs. But they also can be used to accelerate some applications, especially those involving floating-point operations. Apple’s Snow Leopard and Windows 7 operating systems are designed to hand off some processing chores to the GPU.
In a post describing their research, the GTRI team (researchers Joshua Davis and Richard Boyd, and undergraduate researcher Carl Mastrangelo) said they have been using a commonly available graphics processor to test password strength.
"Right now we can confidently say that a seven-character password is hopelessly inadequate,” Boyd said in the post, “and as GPU power continues to go up every year, the threat will increase."
The researchers pointed out that GPUs have been amped-up over the years to handle increasingly sophisticated computer games, and in the process have achieved the power of a mini-supercomputer. Some GPUs today, even those that typically cost less than $500, can process information at a rate of nearly 2 teraflops, or two trillion floating-point operations per second. Ten years ago, the fastest supercomputer in the world, built at a cost of $110 million, ran at about 7 teraflops.
Developers began adapting them to other uses after Nvidia – one of two companies, along with AMD’s ATI, that control essentially the entire GPU market – in 2007 released a software development kit that allowed developers to program a GPU using the C programming language, the researchers said. “If you can write a C program, you can program a GPU now,” Boyd said.
And one of the programs they can be used for is password-cracking.
Brute-force attacks, in which a program tries to guess every possible combination until the right one turns up, have been around a long time. But the relatively new ability to use GPUs, which are designed as parallel processors, for brute-force attacks could put a lot of password-cracking power into the hands of a lot of people. Some of whom might not be honest.
The length of a password is important in preventing cracking, Davis said in the post. Any password with fewer than 12 letters, numbers and special characters will soon be ineffective, if it’s not already. Like many readers who responded to our request in May for password tips, he recommended pass phrases – sentences, including upper and lower case characters, symbols and numbers – as a way to avoid having passwords cracked.
Many Web sites and networks defend against brute force attacks already by limiting the number of incorrect log-in attempts, blocking out users after a set number of failed attempts. The downside of the approach is that an attacker could cause a denial-of-service attack by deliberately locking out authorized users, according to the University of Virginia’s System Administrator Database. An attacker also could use the responses from lock-outs to determine the names of authorized users, because only legitimate accounts can be locked out.
Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.