Data Encryption Software Issues: GPUs Breaks 9-Character Passwords In 48 Days, CPU Takes 43 Years.

The hardest way to attack a computer protected with AlertBoot hard disk encryption is brute-forcing its encryption key.  The easiest?  Guessing the password (well, on a purely technical basis.  Threatening someone with a knife or gun works even better, but that’s an entirely different aspect of data security). has an article on how GPUs (graphics processing units) have made long passwords less secure: if a CPU takes 1.5 minutes to break a 6-character-long password, the GPU can do it in 4 seconds.

This is worrisome information, and yet, it’s not exactly news.  Ten months ago, I had already noted that Georgia Tech scientists were ringing the alarm on strong passwords, saying that the new standard for long passwords was at least 12-characters long.

According to the article, the testing was done with a CPU that processes 9.8 million passwords per second and a GPU that processes 3.3 billion passwords per second (that’s billion with a B as in bazillions).  This means that:

  • A 5-character password is broken in 24 seconds by CPU, less than 1 second by GPU

  • A 6-character password is broken in 1.5 minutes by CPU, 4 seconds by GPU

  • A 7-character password in 4 days by CPU, 17.5 minutes by GPU

  • A 9-character password in 43 years by CPU, 48 days by GPU.

Clearly, GPUs are powerful stuff in contrast to CPUs.

The writer goes on to wonder if you should be forcing people to select 15-characters passwords.  Maybe.  But why?

12-Characters Takes 30,000 Years to Break

As the Georgia Tech researchers noted, passwords ought to be at least 12-characters in length.  I believe they also warned that it should be a combination of upper and lowercase letters and numbers.  While the article also used special characters and spaces as part of the passwords, further increasing the complexity of the password, following Georgia Tech’s less-stringent recommendations would mean that — per the above CPU and GPU rates — a 12-character password would take 31,000 years to brute-force.

That’s not bad at all.  One could argue that there isn’t much of a difference between a 12-character password and a 15-character one when it comes to memorizing one, but why force 15-characters on someone when 12-charcters appears more than adequate enough?

Related Articles and Sites:

Comments (0)

Let us know what you think