9-character passwords no longer secure?

The monthly e-zine from Delta Comtech

9-character passwords no longer secure?

Passwords of up to 9 random characters have been shown to be ‘crackable’ in relatively short time periods using the power of a standard graphics card. So keep it complex, folks.

We spotted a rather worrying blog item this month from an expert who demonstrates how the power in a modern graphics processor can be used to crack Windows passwords, once considered safe from attack, in a matter of seconds.

Vijay Devakumar decided to use an everyday Radeon 5770 graphics card together with a free password cracking software called ‘ighashgpu’ to test how quickly passwords up to 9 characters in length could be revealed. The reason for using a graphics card processor is that the structure of a modern GPU (graphics processing unit) makes it more efficient than a regular CPU for algorithms where large blocks of data are processed in parallel.

In his blog, Devakumar compares the performance of the GPU with a general purpose CPU in cracking different lengths and complexities of Windows password.

The results are amazing:

Password type (contains only lowercase, uppercase and digits)	Time taken by CPUand Cain & Abel software	Time taken by GPU and ighashgpu software
5-character	24 secs	less than 1 second
6-character	1 hr 30 mins	4 secs
7-character	approx 4 days	17 mins 30 secs
8-character	almost 1 year	18 hours and 30 mins
9-character	43 years	48 days

What about complex passwords?

No doubt, users of passwords containing simple letter and number combinations will be concerned by the findings above. At least, they should be. But what happened when Devakumar introduced special characters into his passwords?

Password type (includes all symbols found on a standard keyboard e.g. >, $, &)	Time taken by CPU and Cain & Abel software	Time taken by GPU and ighashgpu software
8-character	not tested	25 days
9-character	not tested	almost 7 years

So what constitutes a safe password?

Sorry, but you must be the judge of this. We see that a 9-character password containing symbols in addition to letters and numbers will take up to 7 years to crack but, as GPU processing speeds increase, so this time will reduce.

More importantly, the number of characters is not the sole factor here. The results above clearly bear out the advice we have offered previously - namely, that the more complex the password, the longer it will take to crack. For example, it took Devakumar less than 2 seconds to crack a 10-character password containing only numbers and longer passwords still may not be any more secure if they contain dictionary words or place names.

"While the raw figures given here are true, they do not give the full picture," says Mike Orton, Technical Director at Delta Comtech. "Almost all user accounts are protected by a “lock out” mechanism which disables the user account after a certain number of failed logins. This means that a “brute force” attack will only get to try a couple of passwords before the account is disabled. There are stealth attacks, which will only try a password every few minutes, but inherently the delay this introduces makes cracking a very long process."

Click here to read Vijay Devakumar’s blog entry.

Visit our website

Back to main e-zine

Delta Comtech Ltd
Artillery House, Heapy Street
Macclesfield, Cheshire, SK11 7JB

Tel: 0870 2200567
info@delta-comtech.co.uk