Cheap GPUs are rendering strong passwords useless

GPUs have brought brute force breaking of any 7 character random alphanumeric password down to a maximum of 17.5 minutes, as compared to 4 days with a CPU. For 8 characters it takes 18.5 hours with a CPU, or 1 year with a CPU. This is what Vijay Devakumar found when he used a GPU card and the free password hash cracker called ighashgpu to crack the NTLM password hash, which is used when logging in to Windows.

Vijay's complete results here, noting that these are maximum times, and that an actual crack will take less time:

#char Characters included (random) CPU Max GPU Max
5 Mixed case alphanumeric 24s <1s
6 Mixed case alphanumeric 1h30m 17s
7 Mixed case alphanumeric ~4 days 17m30s
8 Mixed case alphanumeric Almost 1 year 18h30m
9 Mixed case alphanumeric >4 years 48 days
10 Mixed case alphanumeric
>8 years
7 Mixed case alphanumeric and symbols 75 days <7 hours
8 Mixed case alphanumeric and symbols 19 years 26 days
9 Mixed case alphanumeric and symbols   7 years
10 Numbers

Login or other local device passwords clearly are at risk here. Criminals and law enforcement with access to your hard disk will no doubt have little trouble accessing content on your machine or the machine of a company employee.

Passwords that you use on the intranet may be subject to the same risks. There have been a number of noteable leaks where attackers have gained access to and downloaded thousands of hashed passcodes from prominent web sites. In the hands of someone with even basic brute force tools, it is usually possible to decipher half the passwords. Once deciphered, the passwords can be used to gain access to the attacked system or other systems where passwords have been reused.

But have no less fear, there are easy steps you as a user can take to make easy to remember, strong passwords.

Join two easy to remember words with a symbol character

Until recently my recommendation was to create a strong password by taking two words you know and join them with a symbol character. For example "eggshell$hamburger". This advise is by way of the book Authentication: From Passwords to Public Keys, by Richard E. Smith.

Pad an easy to remember password with repeated characters

More interesting advice comes from Steve Gibson's Security Now site. Steve shows how "D0g....................." is a stronger password then "PrXyc.N(n4k77#L!eVdAfp9" and gives you a simple tool to test the strength of your password. You might also want to check out Scott Wright's blog where he gives a summary of this information.

Advise for businesses

My recommendations for businesses are as follows:

  • Encourage users to choose memorable passwords that are hard to guess (see above).
  • Encourage users to use long passwords, preferably over 11 characters in legnth
  • Disable password expiration features.
  • Don't introduce inflexible rules into a password that force user's to deviate from the patterns they use elsewhere, and are therefore accustomed to memorizing. 
    • Allow long passwords up to at least 32 characters in length.
    • Allow the full range of alphanumeric and special (&<"/ etc.) characters to be used.
    • Allow previously used passwords to be used again. When a user forgets their passwords (usually due to burdensome rules) they may have reset their password, and may want to correct their password to what they thought it was set to.
    • Do not restrict specific combinations of grouped characters, for example 012345, particularly when used in a long password
    • Consider not requiring mixed case alpha and numeric because a user may have a strong password that doesn't meet this particular rule.
  • Offline systems should introduce time delays between bad password attempts, but should not lock out users after a small number of attempts.
  • Online systems can employ lock outs, but should also track and act upon incorrect password attempts.
  • Online services should employ computationally demanding hashing algorithms such as bcrypt.