News

GPUs: Secret Weapon of Password Crackers

Among the oft-cited weaknesses in using passwords for authentication are that people choose bad, easily guessed passwords, such as "123456" or, even, "password."

But even carefully chosen passwords are not enough, at least if they are too short, according to researchers at the Georgia Tech Research Institute. The reason: graphics processing units, which are powerful enough to conduct quick, effective brute-force attacks on password-protected systems.

GPUs traditionally have been used in graphics cards to render screen displays on PCs. But they also can be used to accelerate some applications, especially those involving floating-point operations. Apple's Snow Leopard and Windows 7 operating systems are designed to hand off some processing chores to the GPU.

In a post describing their research, the GTRI team (researchers Joshua Davis and Richard Boyd, and undergraduate researcher Carl Mastrangelo) said they have been using a commonly available graphics processor to test password strength.

"Right now we can confidently say that a seven-character password is hopelessly inadequate," Boyd said in the post, "and as GPU power continues to go up every year, the threat will increase."

The researchers pointed out that GPUs have been amped-up over the years to handle increasingly sophisticated computer games, and in the process have achieved the power of a mini-supercomputer. Some GPUs today, even those that typically cost less than $500, can process information at a rate of nearly 2 teraflops, or two trillion floating-point operations per second. Ten years ago, the fastest supercomputer in the world, built at a cost of $110 million, ran at about 7 teraflops.

Developers began adapting them to other uses after Nvidia -- one of two companies, along with AMD's ATI, that control essentially the entire GPU market -- in 2007 released a software development kit that allowed developers to program a GPU using the C programming language, the researchers said. "If you can write a C program, you can program a GPU now," Boyd said.

And one of the programs they can be used for is password-cracking.

Brute-force attacks, in which a program tries to guess every possible combination until the right one turns up, have been around a long time. But the relatively new ability to use GPUs, which are designed as parallel processors, for brute-force attacks could put a lot of password-cracking power into the hands of a lot of people. Some of whom might not be honest.

The length of a password is important in preventing cracking, Davis said in the post. Any password with fewer than 12 letters, numbers and special characters will soon be ineffective, if it's not already. Like many readers who responded to our request in May for password tips, he recommended pass phrases -- sentences, including upper and lower case characters, symbols and numbers -- as a way to avoid having passwords cracked.

Many Web sites and networks defend against brute force attacks already by limiting the number of incorrect log-in attempts, blocking out users after a set number of failed attempts. The downside of the approach is that an attacker could cause a denial-of-service attack by deliberately locking out authorized users, according to the University of Virginia's System Administrator Database. An attacker also could use the responses from lock-outs to determine the names of authorized users, because only legitimate accounts can be locked out.

Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • SharePoint Embedded Becomes Generally Available

    After a six-month preview, SharePoint Embedded, an API-based version of SharePoint that developers and ISVs can use to embed Microsoft 365 capabilities into their apps, is now generally available.

  • Copilot in Microsoft 365 Getting Agents, Extensions and Team (Not Teams) Support

    Microsoft is adding more functionality to its Copilot AI assistant aimed at improving business collaboration, processes and workflows for Microsoft 365 users.

  • Microsoft Giving Startups Templates To Build AI Apps

    A new perk for businesses enrolled in the Microsoft for Startups Founders Hub program aims to fast-track their ability to build AI-powered applications.