Landing : Athabascau University

GPU cracks six-character password in four seconds - 10/4/2011 - Computer Weekly

http://www.computerweekly.com/Articles/2011/10/04/248075/GPU-cracks-six-character-password-in-four-seconds.htm

This is a bit scary, especially given that some systems put a limit on the size of passwords you may use.  Of course, they need to get hold of the encrypted (or hashed) password in the first place so that should provide a basic line of defence, but it is a remarkable feat, using incredibly cheap hardware. Time to make my passwords longer and stronger, I think. Recent reearch suggests that the strongest are not those that have weird and wonderful mixes of letters and symbols and numbers (easily forgotten), but that use sentences (but not obvious ones that can be found with a web search - poems and song lyrics are not a good choice!)

Comments

  • Eric von Stackelberg October 12, 2011 - 2:51pm

    Biometrics anyone?

  • Jon Dron October 12, 2011 - 3:16pm

    Maybe - apart from difficulties in assuring accuracy (there are too many false positives and false negatives in all existing forms, though using multiple methods can lead to a more acceptable failure rate) and the fact that what gets stored is a bunch of what are still (we hope) encrypted or hashed data, AKA passwords.

  • Nazim Rahman October 13, 2011 - 1:50pm

    how about public key infrastructure for authentication.

  • Jon Dron October 13, 2011 - 2:34pm

    Even worse. Symmetric encryption is at least provably secure (up to a point which, for 6 character passwords, turns out to be 4 seconds on cheap hardware), whereas asymmetric encryption (at least SSL) not only uses crackable passphrases but relies on the complexity of finding the prime-numbers that are factors of a big number. This is not only lacking formal proof of difficulty but there has been some notable progress in shortening the time it takes which suggests that formal proof will never arrive. In fact, I strongly suspect there are agencies out there that can crack it already, but governments are notoriously secretive about such discoveries. For instance, asymmetric encryption was invented in the UK well over a decade before it was invented in the US but no one knew about it because it was an official secret, and the Nazis never knew that Enigma machines had been cracked by Turing et al for the same reason (thus also keeping his electronic computers a secret). Plus, it is computationally very very very expensive indeed, which is why it is only used for key exchange today: if we relied on it for more than exchange of symmetric passwords, our computers would crawl at a tiny fraction of their current speed.

  • Mary Pringle October 13, 2011 - 2:51pm

    I just made a cryptic sentence for a password. I liked it. No poetry but my own.