Monday, June 6, 2011

Weak Password? A GPU can break it

We used to think a 7-8 characters long password to be sure enough to protect our accounts. This was true a couple of years ago, but now the extraordinary computation power of the GPU is changing this belief. 


Some tests by Vijay Devakumar  shows that an alphanumeric password of 9 character can be violated using a straight bruteforce approach in just 48 days! In case of less secure password, such a 5-character long password, the time to force it can be as fast as 20 seconds.


Since password are vital for your mtgolibrary account (and also for every account of your life), please choose strong ones - very long randomic password with numbers and letters such sd58tggbd5741cse451cd5.  If you consider that ML Bot automatically remember the password, you have no excuses not to do so :-)

3 comments:

  1. Put in an exponentially increasing delay between incorrect password attempts on the server, or put a maximum number of incorrect attempts before locking out. This is standard procedure at any secure website.

    ReplyDelete
  2. You miss one (big) point.
    The password can be broken by a GPU if the password hash is stolen (as the GPU can't speed up network bruteforcing).
    Until your server is safe (and the password hash with him), the password is safe.
    If the server is unsafe, my account password is the last thing that worry me.

    ReplyDelete
  3. @Steve81: do you mean the "md5" hash?

    ReplyDelete