![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneThe specific attack vector here is the brute-force guessing of passwords. It requires a server to be compromised so that a copy of the user account database can be obtained. Once it's in the hand of hackers, they have an unlimited amount of time to try passwords against user accounts until they begin falling.
The issue is that you can now build a PC consisting mainly of graphics cards which gives you tremendous processing power for certain tasks, such as trying to crack passwords. From the article: "Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.
Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours."
Again, it requires a level of access to the servers that pretty much means your machine is compromised anyway. You can't do this against live servers because the traffic is quite obvious and most servers will lock an account after 3-5 failed login attempts.
It's still interesting information.
I have no idea what the solution is as graphics cards are only going to get faster and the cracking algorithms will improve, making the crack run faster. So longer passwords aren't the answer, it'll probably end up with a biometric or token plus password.
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125
http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless
The issue is that you can now build a PC consisting mainly of graphics cards which gives you tremendous processing power for certain tasks, such as trying to crack passwords. From the article: "Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.
Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours."
Again, it requires a level of access to the servers that pretty much means your machine is compromised anyway. You can't do this against live servers because the traffic is quite obvious and most servers will lock an account after 3-5 failed login attempts.
It's still interesting information.
I have no idea what the solution is as graphics cards are only going to get faster and the cracking algorithms will improve, making the crack run faster. So longer passwords aren't the answer, it'll probably end up with a biometric or token plus password.
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125
http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless
no subject
Date: 2011-06-10 11:40 pm (UTC)no subject
Date: 2011-06-11 06:10 am (UTC)The problem is that too many C-level managers view IT as a cost sink to be reduced, not as the corp's first line of defense against computer intruders.
no subject
Date: 2011-06-11 01:52 pm (UTC)