12 character passwords required?
Sounds like the good folks at Georgia Tech have worked out how fast they can
crack passwords (i.e., validate whether a guessed password matches the hash
from a password database) using a GPU. They don’t seem to mention which
password hashing algorithm they are attacking, but they do point out,
in the way that responsible journalists never would, that an attacker would
of course have to have a copy of the password hashes first.
The first line of defense in most password systems is to prevent attackers
from getting the hashes. So long as that works, this whole class of attack
is irrelevant. Something sensationalist journalists (hey, that rhymes!)
fail to point out.
So what have we learned?
- GPUs can be used to more quickly brute-force passwords, if you have
managed to compromise the password database.
- In cases where the password database remains inaccessible to attackers,
this is irrelevant.
- Take any sensational claims about security with a grain of salt.
- Passwords are insecure! Passwords will be gone soon! (Yeah, right.
We’ve heard that for 20 years, and it just doesn’t seem to come true).