Evan Schuman's StorefrontBacktalk

It’s time to kill all the passwords. That’s the only real conclusion to draw from the work being done by Georgia Tech Research Institute researchers, who are using off-the-shelf graphics-processing cards to crack passwords by brute force. The time required to break an eight-character password: two minutes. A seven-character password–the minimum currently required by PCI-DSS for retailers to protect stored payment-card information–goes in seconds. One of the Georgia Tech researchers, Richard Boyd, called seven-character passwords “hopelessly inadequate.”

In short, password security is no longer security. The clock isn’t just ticking on every retailer’s favorite cheap authentication scheme, it has run out. The answer isn’t longer passwords; that’s just a stopgap, and even if it works, it won’t hold for long. Maybe Chip-and-PIN employee ID cards would do the trick. Even a mag-stripe-and-PIN approach could work. But whatever replaces passwords has to be cheap. And it must have a reasonable chance of keeping the bad guys away from information such as card data.

What’s now clear is that passwords can’t do that. It’s just too easy and inexpensive to point huge amounts of processing power at the problem of password cracking, as the Georgia Tech researchers discovered.

Here’s the scenario they were investigating: A thief gets access to a single account on a computer that contains an encrypted password file. He copies the file and then uses a computing farm that consists of hundreds of PCs equipped with consumer-grade graphics cards specially programmed to calculate the encrypted versions of all possible passwords of a particular length.

There’s nothing new about using consumer-grade PC hardware to crack passwords and other encrypted data. Thieves have been doing that for years. It’s so common that TJX thief Albert Gonzales was able to outsource his encryption cracking to someone else with a CPU farm who specialized in just that.

But the Georgia Tech researchers used high-end graphics cards, which have the computing power to blast through the necessary calculations at one hundred times the speed of a typical CPU. And because those calculations can all be done in parallel on a graphics processing unit (GPU), the job scales up nicely. A hundred times the number of graphics cards will finish the job in about a hundredth of the time. That makes cracking password files both faster and more affordable for thieves.

“If you assumed an eight-character password was secure before GPUs, that assumption is no longer valid,” said Georgia Tech’s Boyd.

Wait, it gets worse. Boyd said his team assumed the passwords would be the kind created to optimal specifications (highly random, using a mixture of all available letters, numbers and special characters) and protected with reasonably strong encryption such as MD5. That is, a best-case scenario for security.

But that’s nothing like what retail IT people often deal with. Real users make their passwords as simple, easy to remember and trivial to guess as possible. And many retailers, especially in situations like restaurants, are still using PCs running Windows XP, which defaults to a password-encryption scheme called the LAN Manager hash. As encryption, “that’s a joke,” Boyd said.

The obvious conclusion: PCI-DSS Requirement 8.5.10–that retailers must use at least seven-character passwords on computers containing card data—is hopelessly out of date. GPUs have blown it away.

A less obvious conclusion: GPUs have blown away pretty much every other kind of password, too.

Here’s why: You can try longer passwords, but they won’t help.