Using a $100 graphics card and a freeware utility, you can bruteforce NTLM MD5 password hashes at a rate of 3.3 billion guesses per second. A comparable CPU can bruteforce the same hashes at just 9.8 million per second. The same utility can only crack SHA1 passwords at around half the speed, but it’s hard to avoid the shocking truth: if you use passwords less than 10 characters in length, you are not safe.

Using a straightforward brute-force attack, the $100 graphics card — a Radeon 5770 — can crack your five-character password, with caps and numbers, in less than a second. A CPU, by comparison, takes 24 seconds. Six-character passwords take the GPU four seconds, while a CPU would take 90 minutes. Seven-character passwords take 17 minutes, while a CPU would take no less than four days.

The problem lies in the fact that GPUs are massively parallel, with hundreds of stream processors that can simultaneously crack password hashes. CPUs have always been notoriously bad at parallel processing, and even the advent of multi-core chips is nothing to write home about. Supercomputers with hundreds of CPUs obviously ameliorate the problem slightly — but considering GPUs can also be used in supercomputing, it’s probably just time to face facts: if you want an uncrackable password, you need to use some seriously long phrases.

It’s unfair and infeasible to expect everyone to use 15-character passwords with punctuation — everyone would just write their passwords down, which is just as bad — but with password managers like LastPass and KeePass, you only have to remember one master password. KeePass has the advantage that it works across every platform, including Android and iOS. While KeePass stores passwords locally or on a USB dongle that you need to carry around, LastPass stores your passwords securely in the cloud. On the flip side, LastPass only works with browser-based services.

When it comes to choosing a master password, rather than forcing yourself to remember something unmemorable and full of silly punctuation, pick a phrase from your favorite book or poem: “In a hole in the ground there lived a hobbit.” Take a long word, like “elephant”, and intersperse groups of numbers: “el123eph456ant789”. If you don’t want to use a password manager, take the name of the service — “gmail.com” — and append the digits of a friend’s phone number or their street address: “gmail.com2165551234”.



If you have any tips for creating GPU-proof passwords, leave a comment!



Read more about GPU password cracking