Skip navigation.

The constellation is changed, the disposition is the same

Ars Technica has reported of a relatively small GPU-Linux cluster which can crack by brute force standard eight-character MS-Windows passwords in under six hours. There are, of course, a reasons and caveats. Firstly, as online servers will typically block repeat password attempts, is system is most effective against offline password hashes, which then of course can be used for online exploits. Secondly, the metric is based against the NTLM calgorithm that Microsoft has included in every version of Windows since Server 2003; the very same passwords protected by Microsoft's older LM algorithm - will be cracked in under six minutes.

In a sense this is not exactly surprising news. Microsoft's cryptographic algorithms seem to be designed to be 'good enough' for casual use, which means that they are quite hopeless against a determined attacker. More importantly, it is another example of the ability of high density use of GPUs with OpenCL doing what they are very good at - massive data parallelism. The fact that is a relatively small system - just 25 AMD Radeon graphics cards - indicates how increasingly fragile cryptographic algorithms are against such systems.

Which brings to question a certain, large, east-coast Australian university which I know from experience (of the "shocked and horrified" variety) assigns all its student, staff, and researcher passwords to six to eight randomly determined characters - no more and no less. At the time it was appropriate to point out that such a password policy was insecure as it provided a limited range of alternatives. Now, it should be very evident, that the university's policy is positively negligent and if maintained it is only a matter of time before it is compromised.

Randall Munroe, of XKCD fame, makes an excellent contribution to this discussion. He rails against attempts to make passwords secure by adding in capitalisation, numbers, and non-alphanumeric characters without actually changing the level of entropy. Such policies make it relatively easy for computers to crack passwords and relatively hard for humans to remember them. It is better to have a higher level of entropy that is hard to crack but easier to remember (e.g., "correcthorsebatterystaple" - please don't use that as a password).

The problem is, a lot of online services and institutions (such as the aforementioned one) won't accept high-entropy but human memorably passwords as legitimate. They prefer the dangerous model. In doing so, those who determine the IT policy committing an egregious breach of security. It will come and bite them - and maybe with the grim wisdom of hindsight they will see the faults of poor password strength.