Cheap GPUs Rendering Strong Passwords Useless

StrongGlad writes with a story at ZDNet describing how it's getting easier to use GPU processing against passwords once considered quite strong. "Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called 'ighashgpu' and you have yourself a lean, mean password busting machine. How lean and mean? Working against NTLM login passwords, a password of 'fjR8n' can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

Ha Ha, mine goes to 11

[ColdWetDog]

Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

OK, so go to 15 characters. Using a password generator I can go as far as I like. Using some sort of password bank program, I can store passwords / phrases of any complexity and use copy and paste, thus having only one strong password to remember.

So, what am I missing? (And lets keep it on topic, folks).

Re:Ha Ha, mine goes to 11

[alt236_ftw]

Single point of failure.

Essentially, you will need to carry a copy of your password bank with you AND the application which opens it at all times to function.
This means that if it gets compromised (your memory stick gets stolen/your dropbox account gets compromised/ etc...) an attacker will only need to guess/bruteforce/dictionary attack/social engineer/look over your shoulder one password and gain access to everything in your wallet.

Its not a bad plan in principle, but only if you keep important passwords outside the wallet just in case it gets compromised. The point of the article is to raise awareness to the fact that passwords take less time to bruteforce these days as GPUs are very well suited for the job.

Also, keep in mind that websites have can limits to what passwords you can use (up to x characters, no symbols, etc...)

And, you cannot copy paste your login password to an OS :)

Re:If someone gets your hashed password, you're do

[sco08y]

It is well known that if someone gets your hashed password, it is as good as cracked. 17 minutes vs 4 minutes is irrelevant.

Bullshit. It is well known by people who don't know what they're talking about, which includes TFA.

Do you seriously think that in the age of bitcoin we can't make a hash function that is arbitrarily difficult?

Use an adaptive cryptographic hash function: bcrypt [wikipedia.org], PBKDF2 [wikipedia.org] or scrypt [tarsnap.com]. The key feature is a tunable stretch factor that basically sets the number of rounds of hashing. Set that factor (by means of a simple timing loop) to require 1 second of CPU time (or GPU time or whatever) to hash.

Now the simplest 8 character A-Z password will take an expected 3,311 years to break. You'll obviously want a safety margin, and will expect them to have more computing power a few years down the road. But you can tune the stretch factor to ensure that a reasonably strong password is perfectly good against offline attacks.

Re:Ha Ha, mine goes to 11

[martin-boundary]

Exponential growth. Get the point?

You're right of course, but I'd like to chime in with another observation: people don't grow the size of their passwords to counter Moore's law.

Statistically, the human population will choose an average (rather low) size of password, and that's going to stay constant over time. When faster machines appear, the average amount of time required to crack a significant fraction of human passwords goes down.

Re:Password Plus CAPTCHA helps

[letsief]

Strictly speaking, NIST still allows the use of SHA-1 for password hashing. NIST says you shouldn't use SHA-1 for anything that requires collision resistance. Password hashing doesn't require collision resistance, it only requires preimage resistance. In fact, there's relatively little benefit to using SHA-256 or SHA-512 for password hashing, since they're not that much slower than SHA-1 and its not much harder to generate and store a SHA-2 rainbow table than a SHA-1 rainbow table.

The page you referenced is from 2006, and NIST has backed off on their warnings about SHA-1 a little bit. The collision attack on SHA-1 probably isn't as bad as it looked in 2006. The attack hasn't improved- some of the alleged improved attacks turned out to have errors in them. No one has ever found a collision using SHA-1. Some people aren't even sure the claimed collision attack even works, though the general agreement is that even if the specific attack outlined in Wang's paper doesn't work, there probably is a similar one that does work.

In the mid 2000's the cryptographic community just saw both of the widely used hash functions attacked- SHA-1 and MD5. There were a lot of people concerned that the attacks would soon be catastrophic. That certainly didn't come true with SHA-1, and its only partially true with MD5 (which still has decent preimage resistance).

Still, telling people to move to SHA-2 is good general-purpose advice. It can be tricky to determine when you need collision resistance and when preimage resistance will do.