{"60485":{"#nid":"60485","#data":{"type":"news","title":"Powerful Processors May Threaten Password Security Systems","body":[{"value":"\u003Cp\u003EIt\u0027s been called revolutionary -- technology that lends supercomputer-level power to any desktop. What\u0027s more, this new capability comes in the form of a readily available piece of hardware, a graphics processing unit (GPU) costing only a few hundred dollars. \u003C\/p\u003E\u003Cp\u003EGeorgia Tech researchers are investigating whether this new calculating power might change the security landscape worldwide. They\u0027re concerned that these desktop marvels might soon compromise a critical part of the world\u2019s cyber-security infrastructure -- password protection. \u003C\/p\u003E\u003Cp\u003E\u0022We\u0027ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,\u0022 said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute (GTRI). \u0022Right now we can confidently say that a seven-character password is hopelessly inadequate -- and as GPU power continues to go up every year, the threat will increase.\u0022 \u003C\/p\u003E\u003Cp\u003EDesigned to handle the ever-growing demands of computer games, today\u2019s top GPUs can process information at the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per second). To put that in perspective, in the year 2000 the world\u0027s fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than seven teraflops. \u003C\/p\u003E\u003Cp\u003EGraphics processing units are so fast because they\u0027re designed as parallel computers. In parallel computing, a given problem is divided among multiple processing units, called cores, and these multiple cores tackle different parts of the problem simultaneously. \u003C\/p\u003E\u003Cp\u003EUntil recently, multi-core graphics processors -- which are made by either Nvidia Corp. or by AMD\u2019s ATI unit -- were hard to use for anything except producing graphics for a monitor. To solve a non-graphics problem on a GPU, users had to couch their problems in graphical terms, a difficult task. \u003C\/p\u003E\u003Cp\u003EBut that changed in February 2007, when Nvidia released an important new software-development kit. These new tools allow users to directly program a GPU using the popular C programming language. \u003C\/p\u003E\u003Cp\u003E\u0022Once Nvidia did that, interest in GPUs really started taking off,\u0022 Boyd explained. \u0022If you can write a C program, you can program a GPU now.\u0022 \u003C\/p\u003E\u003Cp\u003EThis new capability puts power into many hands, he says. And it could threaten the world\u0027s ubiquitous password-protection model because it enables a low-cost password-breaking technique that engineers call \u0022brute forcing.\u0022 \u003C\/p\u003E\u003Cp\u003EIn brute forcing, attackers use a fast GPU (or even a group of linked GPUs) -- combined with the right software program -- to break down passwords that are blocking them from a computer or a network. The intruders\u0027 high-speed technique basically involves trying every possible password until they find the right one. \u003C\/p\u003E\u003Cp\u003EFor many common passwords, that doesn\u0027t take long, said Joshua L. Davis, a GTRI research scientist involved in this project. For one thing, attackers know that many people use passwords comprised of easy-to-remember lowercase letters. Code-breakers typically work on those combinations first. \u003C\/p\u003E\u003Cp\u003E\u0022Length is a major factor in protecting against brute forcing a password,\u0022 Davis explained. \u0022A computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times.\u0022 \u003C\/p\u003E\u003Cp\u003EComplexity also adds security, he says. Adding numbers, symbols and uppercase characters significantly increases the time needed to decipher a password. \u003C\/p\u003E\u003Cp\u003EDavis believes the best password is an entire sentence, preferably one that includes numbers or symbols. That\u0027s because a sentence is both long and complex, and yet easy to remember. He says any password shorter than 12 characters could be vulnerable -- if not now, soon. \u003C\/p\u003E\u003Cp\u003EWould-be password crackers have other advantages, says Carl Mastrangelo, an undergraduate student in the Georgia Tech College of Computing who is working on the password research. A computer stores user passwords in an encrypted \u0022hash\u0022 within the operating system. Attackers who locate a password hash can besiege it by building a rainbow table, which is essentially a database of all previous attempts to compromise that password hash. \u003C\/p\u003E\u003Cp\u003E\u0022Generating a rainbow table takes a long time,\u0022 Mastrangelo explained. \u0022But if an attacker wants to crack many passwords quickly, once he\u2019s built a rainbow table it might then only take about 10 minutes per password rather than several days.\u0022 \u003C\/p\u003E\u003Cp\u003ESoftware programs designed to break passwords are freely available on the Internet, Boyd says. Such programs, combined with the availability of GPUs, mean it\u0027s only a matter of time before the password threat will be immediate. \u003C\/p\u003E\u003Cp\u003EBoyd hopes his password work will increase awareness of the GPU\u0027s potential for harm as well as benefit. One result of this research, he says, could be GPU-based workstations that would offer rapid assessments of a given password\u0027s real-world security strength. \u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EResearch News \u0026amp; Publications Office\u003Cbr \/\u003EGeorgia Institute of Technology\u003Cbr \/\u003E75 Fifth Street, N.W., Suite 314\u003Cbr \/\u003EAtlanta, Georgia 30308 USA\u003C\/strong\u003E \u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EMedia Relations Assistance\u003C\/strong\u003E: Kirk Englehardt (404-407-7280)(\u003Ca href=\u0022mailto:kirk.englehardt@gtri.gatech.edu\u0022\u003Ekirk.englehardt@gtri.gatech.edu\u003C\/a\u003E) or John Toon (404-894-6986)(\u003Ca href=\u0022mailto:jtoon@gatech.edu\u0022\u003Ejtoon@gatech.edu\u003C\/a\u003E). \u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EWriter\u003C\/strong\u003E: Rick Robinson \u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EGeorgia Tech researchers are investigating whether the power of graphics processing units might change the security landscape worldwide -- compromising a critical part of the world\u2019s cyber-security infrastructure: password protection.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Inexpensive hardware may facilitate password cracking."}],"uid":"27303","created_gmt":"2010-08-17 00:00:00","changed_gmt":"2016-10-08 03:07:15","author":"John Toon","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2010-08-17T00:00:00-04:00","iso_date":"2010-08-17T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"60486":{"id":"60486","type":"image","title":"Password security researchers","body":null,"created":"1449176267","gmt_created":"2015-12-03 20:57:47","changed":"1475894525","gmt_changed":"2016-10-08 02:42:05","alt":"Password security researchers","file":{"fid":"191136","name":"trn78361.jpg","image_path":"\/sites\/default\/files\/images\/trn78361_0.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/trn78361_0.jpg","mime":"image\/jpeg","size":1529771,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/trn78361_0.jpg?itok=Q0TBSF5e"}}},"media_ids":["60486"],"related_links":[{"url":"http:\/\/www.gtri.gatech.edu\/","title":"Georgia Tech Research Institute"}],"groups":[{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"147","name":"Military Technology"},{"id":"135","name":"Research"}],"keywords":[{"id":"10420","name":"graphics processing units"},{"id":"10419","name":"passwords"},{"id":"167055","name":"security"}],"core_research_areas":[],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Cstrong\u003EJohn Toon\u003C\/strong\u003E\u003Cbr \/\u003EResearch News \u0026amp; Publications Office\u003Cbr \/\u003E\u003Ca href=\u0022http:\/\/www.gatech.edu\/contact\/index.html?id=jt7\u0022\u003EContact John Toon\u003C\/a\u003E\u003Cbr \/\u003E\u003Cstrong\u003E404-894-6986\u003C\/strong\u003E\u003C\/p\u003E","format":"limited_html"}],"email":["jtoon@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}