A few days ago, I posted on the subject of password strength… and then I saw some new research on the issue from Georgia Tech which adds some additional paranoia to password issue. According to the folks from the Peachtree State, recent advances in repurposing the Graphics Processing Units (GPUs) on computer graphics cards put some serious computing power in the hands of password crackers:“Designed to handle the ever-growing demands of computer games, today’s top GPUs can process information at the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per second). To put that in perspective, in the year 2000 the world’s fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than seven teraflops.”
The bad news is that these easily harnessed teraflops make it possible that passwords shorter than 12 characters could be brute forced quickly enough for attackers to make use of them. Now, as I mentioned in the previous posts, well designed systems should implement some mitigating factors to prevent brute forcing from working, the most important of which is intruder lockout and alerting. However, the attacker going after offline data such as encrypted files could make use of brute force attacks. And it is important to remember that many current attacks depend on keystroke loggers – once the attacker has a logger on your system, the length and complexityof your password does not matter any more.
In the end, my recommendations stay the same – run (and update) anti malware software on your machine, and use different, well constructed passwords for every site you visit (LastPass is a great way to keep track of these). It is amazing how many people use the same passwords for different sites… c’mon people – let’s make the bad guys work just a little bit!