Password angst and the modern Graphics Processing Unit
Monday, 16 August 2010
It seemed like all we needed to do was mix in some numbers and funny characters and that would make our passwords extra super secret enough to protect our Lego ID from the dark force.
This belief was based on the understanding that only those with supercomputers at their disposal would have the computational ability to trundle through all of the permutations needed for a brute force attack against our jumble of weird symbols.
Richard Boyd, of the Georgia Tech Research Institute, told the BBC that the number-crunching capacity of graphics cards compares to those of supercomputers built only 10 years ago.
— The Register
Huh?!
The modern bleeding-edge graphics card, normally the purview of hardcore gamers, packs sufficient mathematical muscle to compete with not-so-old super computers?
In other words, not only do we have to worry about black-hats who can command arrays of hijacked home computers to take down sites like Twitter and Facebook at will, but they now have mathematical might at their disposal that we normally associate with scientists and three-letter government agencies.
Read all about the demise of the short password here:
Short passwords ‘hopelessly inadequate’, say boffins (The Register)
Doom and gloom?
Fortunately, from a password security point of view, this kind of computing power is most useful to hackers who have access to the encrypted password file from the server—a file that is hopefully treated with extra special care to prevent others from seeing it.
The hacker simply runs every possible combination of umpteen funny characters through well known hash algorithms until one particular choice hashes perfectly into the stolen encrypted version. Then he logs into your Lego account and orders more Star Wars Lego kits.
If the hacker does not have the list of encrypted user passwords, he cannot run this process on his über cruncher machine in isolation: He must make a login attempt with each password. And most systems start inserting longer delays, and eventually blocking logins altogether, after three or four failed attempts.
An ominous sign
Password hacking aside, there is a more sinister problem facing us…
Large powerful government agencies do not spend all of their computing horsepower trying every possible ten-character password to crack a Unix login, do they? They are more concerned with modern hard encryption technologies, the cornerstone of e-commerce and our trust in the Internet.
The time is near when these fancy 128-bit AES keys will fall prey to ne’er-do-wells with nothing more than a tricked-out gaming machine.
