Cheap GPUs Are Rendering Strong Passwords Useless

Forget passwords. They are obsolete now that passwords are easily guessed by cheap hardware. An article by Adrian Kingsley-Hughes published in ZDNet describes the ease with which an inexpensive graphics processor unit (GPU) can guess a password.

For instance, “a password of ‘fjR8n’ can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

“It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.”

The article may be found at

4 thoughts on “Cheap GPUs Are Rendering Strong Passwords Useless

    • There are numerous answers: biometrics is my favorite. That is, use a hardware device that reads your fingerprint or scans the retina of your eye. Fingerprint readers are now included on most Apple mobile devices and have been seen on a few other devices also. I suspect fingerprint readers will become even more popular within the next few years. Retina scanners are still rare but undoubtedly will become more popular as the need for security continues to increase.

      As technology improves, I suspect we will see even more solutions that do not use easily-cracked and easily-forgotten passwords.

      Liked by 1 person

      • I understand that many finger print readers can be overcome by taking a photograph of a finger-print left on for instance a glass and then printing it with an ink that causes a lightly embossed print. Even making the finger print reader look for a “human” temperature can be overcome.

        Early retina scan systems could be overcome with a photograph, so the suggestion is that the readers also use a photographic flash to check for iris contraction; I suspect the fraudsters will find a way around that!

        I am worried about the sort of systems that people think can’t be broken (but which later turn out to be breakable). The danger is that until they are proved to be vulnerable, they will be assumed to give cast iron evidence of a person logging on and being responsible for the subsequent transactions.


      • Nothing is ever perfect. I believe you are correct about the limitations of today’s technology. Those limitations undoubtedly will be reduced or eliminated as the technology improves. Even with today’s limitations, the solutions I suggested are still much better and safer today than using easily-hacked and easily-forgotten passwords.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.