A password expert has shown that passwords can be cracked by brute force four times faster than was previously thought possible.
It's no magician's trick. Jeremi Gosney of the Stricture Consulting Group shared the findings at the recent Passwords^12 conference in Norway, where researchers do nothing but focus on passwords and PIN numbers.
What Gosney showed is that a computer cluster using 25 AMD Radeon graphics cards let it make 350 billion — that's right, billion — password attempts per second when trying to crack password hashes made by the algorithm Microsoft uses in Windows.
Ars Technica reported on the finding, estimating that it would take less than six hours for the system to guess every single possible eight-character password. Gosney, in an email to the site, said, "We can attack (password) hashes approximately four times faster than we could previously."
Users should take action, especially those who have been using eight-character passwords and thinking they were safe (or safer than users with fewer characters in passwords), said Infosecurity, an online magazine. It doesn't even matter if you have numbers, upper case letters and symbols — you are not in the clear.
Eight-character passwords "are no longer sufficient," the magazine says, and users should come up with longer passwords to "help defeat brute forcing, and complex passwords to help defeat dictionary attacks."
Dictionary attacks use pretty common words, names and places that many of us still come up with for passwords, like "LoveNewYork" or even "Jesus" because they're easy to remember. They're also incredibly easy to crack.
Dmitry Bestuzhev, of Kaspersky Lab, offers these suggestions:
1. Use a different password for each different online resource. Never reuse the same password for different services. If you do, all or many of your other online accounts can be compromised. 2. Use complex passwords. This means, in a perfect scenario, a combination of symbols, letters and special characters. The longer the better. 3. Sometimes our online service providers don’t let us create really complex passwords, but try to use long passwords, with at least 23 characters in a combination of uppercase and lowercase letters. A password of 23 characters (131 bits) would be ok.
That may be an ambitious undertaking, especially with the abundance of services out there that all require authentication, but it's worth striving for.
Eight characters "just isn't long enough for a password these days," Sophos Labs' Paul Ducklin told NBC News in an email. "Even before this latest 'improvement' in cracking, standalone GPU (graphics processing unit)-based servers could do the job on eight-character Windows passwords in under 24 hours." And, he added, "cybercrooks with a zombie network, of course, could easily do something similar, even without GPUs."
Ducklin, writing about another password-cracking presentation at the password conference, made it clear that the findings are "yet another reminder that security is an arms race." But to stay ahead all you have to do is lengthen those passwords. At least for now.