The power of graphics processing units may threaten the world鈥檚 password security system
It鈥檚 been called revolutionary - technology that lends supercomputer-level power to any desktop. What鈥檚 more, this new capability comes in the form of a readily available piece of hardware, a graphics processing unit (GPU) costing only a few hundred dollars.
Georgia Tech researchers are investigating whether this new calculating power might change the security landscape worldwide. They鈥檙e concerned that these desktop marvels might soon compromise a critical part of the world鈥檚 cyber-security infrastructure - password protection.
鈥淲e鈥檝e been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,鈥 said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute (GTRI). 鈥淩ight now we can confidently say that a seven-character password is hopelessly inadequate - and as GPU power continues to go up every year, the threat will increase.鈥
Designed to handle the ever-growing demands of computer games, today鈥檚 top GPUs can process information at the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per second). To put that in perspective, in the year 2000 the world鈥檚 fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than seven teraflops.
Graphics processing units are so fast because they鈥檙e designed as parallel computers. In parallel computing, a given problem is divided among multiple processing units, called cores, and these multiple cores tackle different parts of the problem simultaneously.
Until recently, multi-core graphics processors - which are made by either Nvidia Corp. or by AMD鈥檚 ATI unit - were hard to use for anything except producing graphics for a monitor. To solve a non-graphics problem on a GPU, users had to couch their problems in graphical terms, a difficult task.
But that changed in February 2007, when Nvidia released an important new software-development kit. These new tools allow users to directly program a GPU using the popular C programming language.
鈥淥nce Nvidia did that, interest in GPUs really started taking off,鈥 Boyd explained. 鈥淚f you can write a C program, you can program a GPU now.鈥
This new capability puts power into many hands, he says. And it could threaten the world鈥檚 ubiquitous password-protection model because it enables a low-cost password-breaking technique that engineers call 鈥渂rute forcing.鈥
In brute forcing, attackers use a fast GPU (or even a group of linked GPUs) - combined with the right software program - to break down passwords that are blocking them from a computer or a network. The intruders鈥 high-speed technique basically involves trying every possible password until they find the right one.
For many common passwords, that doesn鈥檛 take long, said Joshua L. Davis, a GTRI research scientist involved in this project. For one thing, attackers know that many people use passwords comprised of easy-to-remember lowercase letters. Code-breakers typically work on those combinations first.
鈥淟ength is a major factor in protecting against brute forcing a password,鈥 Davis explained. 鈥淎 computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times.鈥
Complexity also adds security, he says. Adding numbers, symbols and uppercase characters significantly increases the time needed to decipher a password.
Davis believes the best password is an entire sentence, preferably one that includes numbers or symbols. That鈥檚 because a sentence is both long and complex, and yet easy to remember. He says any password shorter than 12 characters could be vulnerable - if not now, soon.
Would-be password crackers have other advantages, says Carl Mastrangelo, an undergraduate student in the Georgia Tech College of Computing who is working on the password research. A computer stores user passwords in an encrypted 鈥渉ash鈥 within the operating system. Attackers who locate a password hash can besiege it by building a rainbow table, which is essentially a database of all previous attempts to compromise that password hash.
鈥淕enerating a rainbow table takes a long time,鈥 Mastrangelo explained. 鈥淏ut if an attacker wants to crack many passwords quickly, once he鈥檚 built a rainbow table it might then only take about 10 minutes per password rather than several days.鈥
Software programs designed to break passwords are freely available on the Internet, Boyd says. Such programs, combined with the availability of GPUs, mean it鈥檚 only a matter of time before the password threat will be immediate.
Boyd hopes his password work will increase awareness of the GPU鈥檚 potential for harm as well as benefit. One result of this research, he says, could be GPU-based workstations that would offer rapid assessments of a given password鈥檚 real-world security strength.
Source: Georgia Institute of Technology
