Short & Sweet, Too Easy To Beat …
So I was just led from a HuffPost bit to this article: “No password is safe from this new 25-GPU computer cluster” …
The title is a bit misleading, but the gist is that any 8 character password can be cracked in 5.5 hours with a cluster of 25 off the shelf AMD Radeon graphics cards. The longer a password is, the longer it takes to crack. More on that in “How long would it take to crack your password?“
So you don’t think it’s a problem today? How about those files that will be up in a cloud 10 years from now? 🙂 Yeah… what you store today, can be cracked tomorrow, by an ever-increasing range of misguided mammals that have nothing but time and equipment.
Of course, you can always go back an reencrypt things later… or change all of your passwords, later… sure, you’ll remember.. Wait, let me go make some popcorn, this’ll be fun to watch 😉 Got them all? Sure!? Hee hee..
Just start using longer passwords now. Think of little phrases or sentences. Think of “future proofing” your passwords a bit, at least for a good 10 years or so.
Wait? Graphics Cards?
Yep, Graphics Cards. GPUs. For certain operations (cranking through a massive set of computations), the use of OpenCL on a GPU is much faster than a CPU. You can Deep Dive on OpenCL, and quickly realize “oh oh, CPUs are nothing compared to some specific areas where a few graphics cards can effectively be something we would have called a Supercomputer just 10-15 years ago”
But wait, who has a 25-GPU cluster sitting around? In 10 years, everyone, in one card.
No, I dont think I am kidding. Check out “CPU And GPU Trends Over Time“. I did check out the actual data files for the graphs, and the key one was for GPUFlops:
- 2003 – NVidia FX5900: 25
- 2007 – NVidia 8800 GTX: 518
- 2010 – NVidia GTX 580: 1581
…and I know for a fact that the NVidia GTX 690 (2012) is way faster…
So What To Do?
Yeah, I know. Security is such a pain. Use longer passwords, and don’t use the same password for everything. There are many followup parts to this that I could write (two factor authentication, the whole USB key enchilada, the rise of biometrics and nanotechnology, etc). For now I would just say “go longer, and if you run into web sites that limit passwords to 8 characters, yell at them”.
Oh, and a little Post Script: when I was in College.. a lad in my 20’s using some old Vax 11/750 running BSD Unix, I had a really fun password. It was ” “. Yes, 8 spaces! I knew that only the first 8 characters entered mattered. I merely held down the spacebar for a few seconds, hit return, et voila! Logged in! If I felt someone was watching me, I would type a few random characters at the end, and still be logged in. Those were much simpler days.