It’s been called revolutionary – technology that lends supercomputer-level power to any desktop. What’s more, this new capability comes in the form of a readily available piece of hardware, a graphics processing unit (GPU) costing only a few hundred dollars.
Georgia Tech researchers are investigating whether this new calculating power might change the security landscape worldwide. They’re concerned that these desktop marvels might soon compromise a critical part of the world’s cyber-security infrastructure – password protection.
Designed to handle the ever-growing demands of computer games, today’s top GPUs can process information at the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per second). To put that in perspective, in the year 2000 the world’s fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than seven teraflops.
About the image: GTRI researchers Joshua Davis (standing) and Richard Boyd (right) investigated the GPU threat to password security, aided by undergraduate researcher Carl Mastrangelo (front). Image credit: Gary Meek, Georgia Tech Research Institute
But that changed in February 2007, when Nvidia released an important new software-development kit. These new tools allow users to directly program a GPU using the popular C programming language.
“Once Nvidia did that, interest in GPUs really started taking off,” Boyd explained. “If you can write a C program, you can program a GPU now.”
“Length is a major factor in protecting against brute forcing a password,” Davis explained. “A computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times.”
Complexity also adds security, he says. Adding numbers, symbols and uppercase characters significantly increases the time needed to decipher a password.
Davis believes the best password is an entire sentence, preferably one that includes numbers or symbols. That’s because a sentence is both long and complex, and yet easy to remember. He says any password shorter than 12 characters could be vulnerable – if not now, soon.
Would-be password crackers have other advantages, says Carl Mastrangelo, an undergraduate student in the Georgia Tech College of Computing who is working on the password research. A computer stores user passwords in an encrypted “hash” within the operating system. Attackers who locate a password hash can besiege it by building a rainbow table, which is essentially a database of all previous attempts to compromise that password hash.
“Generating a rainbow table takes a long time,” Mastrangelo explained. “But if an attacker wants to crack many passwords quickly, once he’s built a rainbow table it might then only take about 10 minutes per password rather than several days.”
Boyd hopes his password work will increase awareness of the GPU’s potential for harm as well as benefit. One result of this research, he says, could be GPU-based workstations that would offer rapid assessments of a given password’s real-world security strength.