August 13, 2010

Powerful GPUs Could Threaten Password Security

The increase of graphics cards that come equipped with processors could pose a serious security risk as hackers use them as low-cost, high-speed tools to crack passwords, according to researchers at the Georgia Tech Research Institute (GTRI).

Graphic processing units or GPUs can provide "supercomputer-level power to any desktop" at a cost of just a few hundred dollars, according to a case study posted to the GTRI website.

While GPUs were designed to help computers handle the requirements of game software, software-development kits that allow users to program the GPU to perform other functions have allowed hackers to harness their power in other, more sinister ways.

"Georgia Tech researchers are investigating whether this new calculating power might change the security landscape worldwide"¦ They're concerned that these desktop marvels might soon compromise a critical part of the world's cyber-security infrastructure--password protection," claims the GTRI case study, entitled "Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World's Password Security System."

According to the report, the GPUs are used in a password-hacking technique known as brute forcing, in which their processing power is combined with software programs in order to break down the codes. Essentially, brute forcing involves trying different combinations of letters and numbers until the right combination is discovered.

"For many common passwords, that doesn't take long," the press release notes. "For one thing, attackers know that many people use passwords comprised of easy-to-remember lowercase letters. Code-breakers typically work on those combinations first."

"Length is a major factor in protecting against brute forcing a password"¦ A computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times," added GTRI researcher Joshua L. Davis, who also encourages users to add numbers, symbols, and both upper and lowercase symbols to their passwords.

"Right now we can confidently say that a seven-character password is hopelessly inadequate," senior GTRI research scientist Richard Boyd told BBC News on Friday, "and as GPU power continues to go up every year, the threat will increase."

According to the case study, Davis recommends using a full sentence as a password--especially one that also includes numbers and/or symbols--since they are easy for a user to remember and difficult for a hacker to crack due to their length and complexity. Furthermore, he warns that any password that is less than 12 characters in length "could be vulnerable--if not now, soon."


On the Net: