Recently, I read about a password cracking tool called ighashgpu. What is interesting about it is that it is using the GPU for bruteforcing, instead of CPU which is usually used.Apparently, nowadays, even a cheap video card is able to perform brute-force attacks much better that the normal CPU.
I done some googling around and search for the time needed to crack a password using brute-force, with both “CPU power”(cain & able) and “GPU power”(ighashgpu).(The tests where performed using a middle-range video card – ATI Radeon 5770)
No of characters
|Required CPU Time||Required GPU Time|
|5||fjR8n||24 sec||<1 sec|
|6||pYDbL6||~1h 30 min||4 sec|
|7||fh0GH5h||~ 4 days||17 min 30 sec|
|8||t6Hnf9fL||~256 days||18 h 30 min|
|9||kfU64FdB8||~43 years||48 days|
It is frighten, from my point of view, to see how much faster can you crack a password using the processing power provided by a cheap video card. And the fact that the this cracking tools are breaking new grounds, it’s even more frighten. And, considering the growing rate of the video cards performance, in the near future, passwords under 15 will start to become useless.
Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet?