Friday, August 27, 2010

GPU Judgement Day for short Passwords

Researchers from the Georgia Tech Research Institute have announced that the power of GPU processors now poses a real threat to password security, and by implication, to the security of critical IT infrastructure. Top of the line GPU devices now process at the rate of 2 Teraflops second, which is around 30% of the computing power the fastest computing cluster could muster 10 years ago for a price tag of over $100 million. Given that the main GPU manufacturers have made their devices programmable through standard C libraries, password cracking has become democratized.

The researchers state that 7 character passwords are now totally insecure against exhaustive attacks and recommend 12 characters, drawn from the full 94 printable keyboard characters. GPU processors can also be used to generate rainbow tables for offline password cracking, which was the approach taken recently by Karsten Knol to building rainbow table using CUDA nodes.

Of course, applying GPU devices to password creaking is not new, and Elcomsoft has made a name for itself using high-end gaming chips to recover and benchmark passwords. I am a little surprised that the researchers did not mention this. In any case, Elcomsoft has a great blog and you can find a good presentation on GPU password cracking here.

From my post The spin on passwords for AES

Adding spin to password-based computations is a workaround to the unpleasant fact that human habits and memory are vastly outmoded in today's IT environment. Everything is getting faster, better and cheaper - except us. Passwords remain the most toxic asset on the security balance sheet, but don't expect a bailout any time soon.

No comments: