Call to improve password security Published duration 13 August 2010

image caption As computer power gets cheaper it gets easier to crack passwords, suggests research.

The growing use of graphics cards as surrogate supercomputers could spell trouble for users of short passwords.

Researchers say the growing number of processors on graphics cards will soon make it trivial for them to crack short passwords.

A password of seven characters or less will soon be "hopelessly inadequate" they claim.

The researchers suggest passwords should be at least 12 characters long to be safe.

Brute force

A team led by Richard Boyd from the Georgia Tech Research Institute has been investigating what effect the number-crunching power of modern graphics cards could have on the crackability of passwords.

Many graphics cards employ hundreds of so-called stream processors working in parallel to render images. Many scientists now use the basic arithmetical properties of these processors to help crunch through data generated during experiments.

The number crunching abilities of graphics cards are now comparable to the multi-million dollar supercomputers built about a decade ago, said Mr Boyd.

The parallel processing systems inside graphics cards are very good at carrying out so-called "brute force" attacks that effectively try every possible combination of letters and numbers until the right one is found.

Longer passwords take longer to crack and offer better protection, say the researchers.

"Right now we can confidently say that a seven-character password is hopelessly inadequate," said Mr Boyd, "and as GPU power continues to go up every year, the threat will increase."

A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits.