Password Security: New 25 GPU Monster Devours Passwords In Seconds

A friend alerted us today to this Security Ledger bulletin on Jeremi Gosney's GPU rig. For those concerned that their online accounts may not be secure there is a series of Seekerblog posts that may be helpful (all have the tag Security).

Regarding the risk posed by these ultra-fast cracking farms, check out Steve Gibson’s “password haystack”. And remember that these fast-crackers are only relevant to physical access cases — where the bad guys either have your computer/device, or they have physical access to a site's password hash files. If you have a 30-character passphrase you are probably safe from even the direct physical attacks. Do make sure your phrase is not in a dictionary, which you can easily ensure by adding say ….. somewhere.

Bandits trying to brute force your Gmail account over the internet are limited to a max attack rate of 100 to around 1000 guesses/second.

But we need to also protect ourselves from social engineering attacks, where even the security-aware could be tricked into revealing information that can be used in a penetration. E.g., How Apple and Amazon Security Flaws Led to My Epic Hacking

To foil that sort of attack we think it is important to “silo” key accounts with unique email addresses – which do help to create a higher security fence. E.g., we create a unique email address for each high-value account, such as Apple, Google, Gmail, bank, brokerage, etc..

So make sure each such account has a unique email/login and unique/strong passphrase. I expect someday one of our key accounts will be compromised, maybe by an insider. Then we will be really glad that account was in its own silo.

It's not difficult to accomplish this if you use 1Password to manage all of your sensitive data – see my post The only secure password is the one you can’t remember. Now go buy 1Password for each device that will have access to your password “wallet”.

Lastly, here is Steve Gibson's analysis of one of our 26 character passwords. Note that even the 25 GPU Monster will need about 10 trillion centuries to stumble on to this one (at 348 billion guesses / second).



2 thoughts on “Password Security: New 25 GPU Monster Devours Passwords In Seconds

  1. “social engineering attacks”… I have to say, people will always be the biggest security “flaw”. Great article.

  2. Dead right on that. It’s really time we demanded adoption of a securely authenticated email protocol. That would stop 99.99% of phishing dead. Charging $.01 per email would stop spam but not phishing.

Comments are closed.