Password crackers have a surprising secret weapon

How can you defend against a new line of attack?

Among the oft-cited weaknesses in using passwords for authentication are that people choose bad, easily guessed passwords, such as “123456” or, even, “password.”

But even carefully chosen passwords are not enough, at least if they are too short, according to researchers at the Georgia Tech Research Institute. The reason: graphics processing units, which are powerful enough to conduct quick, effective brute-force attacks on password-protected systems.

GPUs traditionally have been used in graphics cards to render screen displays on PCs. But they also can be used to accelerate some applications, especially those involving floating-point operations. Apple’s Snow Leopard and Windows 7 operating systems are designed to hand off some processing chores to the GPU.

In a post describing their research, the GTRI team (researchers Joshua Davis and Richard Boyd, and undergraduate researcher Carl Mastrangelo) said they have been using a commonly available graphics processor to test password strength.


Related stories

Revealed: Our picks for best password strategies

Password management’s secret ingredient


"Right now we can confidently say that a seven-character password is hopelessly inadequate,” Boyd said in the post, “and as GPU power continues to go up every year, the threat will increase."

The researchers pointed out that GPUs have been amped-up over the years to handle increasingly sophisticated computer games, and in the process have achieved the power of a mini-supercomputer. Some GPUs today, even those that typically cost less than $500, can process information at a rate of nearly 2 teraflops, or two trillion floating-point operations per second. Ten years ago, the fastest supercomputer in the world, built at a cost of $110 million, ran at about 7 teraflops.

Developers began adapting them to other uses after Nvidia – one of two companies, along with AMD’s ATI, that control essentially the entire GPU market – in 2007 released a software development kit that allowed developers to program a GPU using the C programming language, the researchers said. “If you can write a C program, you can program a GPU now,” Boyd said.

And one of the programs they can be used for is password-cracking.

Brute-force attacks, in which a program tries to guess every possible combination until the right one turns up, have been around a long time. But the relatively new ability to use GPUs, which are designed as parallel processors, for brute-force attacks could put a lot of password-cracking power into the hands of a lot of people. Some of whom might not be honest.

The length of a password is important in preventing cracking, Davis said in the post. Any password with fewer than 12 letters, numbers and special characters will soon be ineffective, if it’s not already. Like many readers who responded to our request in May for password tips, he recommended pass phrases – sentences, including upper and lower case characters, symbols and numbers – as a way to avoid having passwords cracked.

Many Web sites and networks defend against brute force attacks already by limiting the number of incorrect log-in attempts, blocking out users after a set number of failed attempts. The downside of the approach is that an attacker could cause a denial-of-service attack by deliberately locking out authorized users, according to the University of Virginia’s System Administrator Database. An attacker also could use the responses from lock-outs to determine the names of authorized users, because only legitimate accounts can be locked out.

Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.