News

GPUs: Secret Weapon of Password Crackers

Among the oft-cited weaknesses in using passwords for authentication are that people choose bad, easily guessed passwords, such as "123456" or, even, "password."

But even carefully chosen passwords are not enough, at least if they are too short, according to researchers at the Georgia Tech Research Institute. The reason: graphics processing units, which are powerful enough to conduct quick, effective brute-force attacks on password-protected systems.

GPUs traditionally have been used in graphics cards to render screen displays on PCs. But they also can be used to accelerate some applications, especially those involving floating-point operations. Apple's Snow Leopard and Windows 7 operating systems are designed to hand off some processing chores to the GPU.

In a post describing their research, the GTRI team (researchers Joshua Davis and Richard Boyd, and undergraduate researcher Carl Mastrangelo) said they have been using a commonly available graphics processor to test password strength.

"Right now we can confidently say that a seven-character password is hopelessly inadequate," Boyd said in the post, "and as GPU power continues to go up every year, the threat will increase."

The researchers pointed out that GPUs have been amped-up over the years to handle increasingly sophisticated computer games, and in the process have achieved the power of a mini-supercomputer. Some GPUs today, even those that typically cost less than $500, can process information at a rate of nearly 2 teraflops, or two trillion floating-point operations per second. Ten years ago, the fastest supercomputer in the world, built at a cost of $110 million, ran at about 7 teraflops.

Developers began adapting them to other uses after Nvidia -- one of two companies, along with AMD's ATI, that control essentially the entire GPU market -- in 2007 released a software development kit that allowed developers to program a GPU using the C programming language, the researchers said. "If you can write a C program, you can program a GPU now," Boyd said.

And one of the programs they can be used for is password-cracking.

Brute-force attacks, in which a program tries to guess every possible combination until the right one turns up, have been around a long time. But the relatively new ability to use GPUs, which are designed as parallel processors, for brute-force attacks could put a lot of password-cracking power into the hands of a lot of people. Some of whom might not be honest.

The length of a password is important in preventing cracking, Davis said in the post. Any password with fewer than 12 letters, numbers and special characters will soon be ineffective, if it's not already. Like many readers who responded to our request in May for password tips, he recommended pass phrases -- sentences, including upper and lower case characters, symbols and numbers -- as a way to avoid having passwords cracked.

Many Web sites and networks defend against brute force attacks already by limiting the number of incorrect log-in attempts, blocking out users after a set number of failed attempts. The downside of the approach is that an attacker could cause a denial-of-service attack by deliberately locking out authorized users, according to the University of Virginia's System Administrator Database. An attacker also could use the responses from lock-outs to determine the names of authorized users, because only legitimate accounts can be locked out.

Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.