A seven-character password is “hopelessly inadequate,” say scientists at the Georgia Tech Research Institute.
A password with 12 characters may be just as vulnerable.
GTRI researchers have proven that an inexpensive graphics processing unit (GPU) can bust passwords at the speed of a $100 million supercomputer. Until recently, GPUs were difficult to use for anything other than graphics on a computer monitor. But new software has allowed them to be programmed using the popular C language. This enables a technique called “brute forcing,” a high-speed procedure that involves trying every combination of characters to figure out a password.
A password consisting of eight lower-case letters can be cracked in a few minutes using a cluster of GPUs, said Richard Boyd, a senior research scientist and project lead. This puts at risk everyone from the casual user logging into an email account to larger networks used by banking institutions and the military, researchers said.
The longer the password, especially one that includes numbers and symbols, the longer it will take to figure out. A password using every character available on a keyboard could take a group of GPUs thousands of years to crack.
But as graphics cards become more powerful, passwords of any length may still prove ineffective, said Joshua Davis, a research scientist working on the study. Methods relying on two forms of authentication could become necessary, such as using passwords and PIN numbers or even biometric data like fingerprints and face recognition technology, he said.