{"341201":{"#nid":"341201","#data":{"type":"news","title":"Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World\u2019s Password Security System","body":[{"value":"\u003Cp\u003E\u003Cem\u003EWritten by Rick Robinson\u003C\/em\u003E\u003C\/p\u003E\u003Cp\u003EIt\u2019s been called revolutionary \u2013 technology that lends supercomputer-level power to any desktop. What\u2019s more, this new capability comes in the form of a readily available piece of hardware, a graphics processing unit (GPU) costing only a few hundred dollars.\u003C\/p\u003E\u003Cp\u003EGeorgia Tech researchers are investigating whether this new calculating power might change the security landscape worldwide. They\u2019re concerned that these desktop marvels might soon compromise a critical part of the world\u2019s cyber-security infrastructure \u2013 password protection.\u003C\/p\u003E\u003Cp\u003E\u201cWe\u2019ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,\u201d said Richard Boyd, a senior research scientist at the\u0026nbsp;\u003Ca href=\u0022http:\/\/www.gtri.gatech.edu\/\u0022\u003EGeorgia Tech Research Institute\u003C\/a\u003E\u0026nbsp;(GTRI). \u201cRight now we can confidently say that a seven-character password is hopelessly inadequate \u2013 and as GPU power continues to go up every year, the threat will increase.\u201d\u003C\/p\u003E\u003Cp\u003EDesigned to handle the ever-growing demands of computer games, today\u2019s top GPUs can process information at the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per second). To put that in perspective, in the year 2000 the world\u2019s fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than seven teraflops.\u003C\/p\u003E\u003Cp\u003EGraphics processing units are so fast because they\u2019re designed as parallel computers. In parallel computing, a given problem is divided among multiple processing units, called cores, and these multiple cores tackle different parts of the problem simultaneously.\u003C\/p\u003E\u003Cp\u003EUntil recently, multi-core graphics processors \u2013 which are made by either Nvidia Corp. or by AMD\u2019s ATI unit \u2013 were hard to use for anything except producing graphics for a monitor. To solve a non-graphics problem on a GPU, users had to couch their problems in graphical terms, a difficult task.\u003C\/p\u003E\u003Cp\u003EBut that changed in February 2007, when Nvidia released an important new software-development kit. These new tools allow users to directly program a GPU using the popular C programming language.\u003C\/p\u003E\u003Cp\u003E\u201cOnce Nvidia did that, interest in GPUs really started taking off,\u201d Boyd explained. \u201cIf you can write a C program, you can program a GPU now.\u201d\u003C\/p\u003E\u003Cp\u003EThis new capability puts power into many hands, he says. And it could threaten the world\u2019s ubiquitous password-protection model because it enables a low-cost password-breaking technique that engineers call \u201cbrute forcing.\u201d\u003C\/p\u003E\u003Cp\u003EIn brute forcing, attackers use a fast GPU (or even a group of linked GPUs) \u2013 combined with the right software program \u2013 to break down passwords that are blocking them from a computer or a network. The intruders\u2019 high-speed technique basically involves trying every possible password until they find the right one.\u003C\/p\u003E\u003Cp\u003EFor many common passwords, that doesn\u2019t take long, said Joshua L. Davis, a GTRI research scientist involved in this project. For one thing, attackers know that many people use passwords comprised of easy-to-remember lowercase letters. Code-breakers typically work on those combinations first.\u003C\/p\u003E\u003Cp\u003E\u201cLength is a major factor in protecting against brute forcing a password,\u201d Davis explained. \u201cA computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times.\u201d\u003C\/p\u003E\u003Cp\u003EComplexity also adds security, he says. Adding numbers, symbols and uppercase characters significantly increases the time needed to decipher a password.\u003C\/p\u003E\u003Cp\u003EDavis believes the best password is an entire sentence, preferably one that includes numbers or symbols. That\u2019s because a sentence is both long and complex, and yet easy to remember. He says any password shorter than 12 characters could be vulnerable \u2013 if not now, soon.\u003C\/p\u003E\u003Cp\u003EWould-be password crackers have other advantages, says Carl Mastrangelo, an undergraduate student in the Georgia Tech\u0026nbsp;\u003Ca href=\u0022http:\/\/www.cc.gatech.edu\/\u0022\u003ECollege of Computing\u003C\/a\u003E\u0026nbsp;who is working on the password research. A computer stores user passwords in an encrypted \u201chash\u201d within the operating system. Attackers who locate a password hash can besiege it by building a rainbow table, which is essentially a database of all previous attempts to compromise that password hash.\u003C\/p\u003E\u003Cp\u003E\u201cGenerating a rainbow table takes a long time,\u201d Mastrangelo explained. \u201cBut if an attacker wants to crack many passwords quickly, once he\u2019s built a rainbow table it might then only take about 10 minutes per password rather than several days.\u201d\u003C\/p\u003E\u003Cp\u003ESoftware programs designed to break passwords are freely available on the Internet, Boyd says. Such programs, combined with the availability of GPUs, mean it\u2019s only a matter of time before the password threat will be immediate.\u003C\/p\u003E\u003Cp\u003EBoyd hopes his password work will increase awareness of the GPU\u2019s potential for harm as well as benefit. One result of this research, he says, could be GPU-based workstations that would offer rapid assessments of a given password\u2019s real-world security strength.\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"It\u2019s been called revolutionary \u2013 technology that lends supercomputer-level power to any desktop"}],"uid":"28152","created_gmt":"2014-11-04 17:40:06","changed_gmt":"2016-10-08 03:17:26","author":"Claire Labanz","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2010-08-07T00:00:00-04:00","iso_date":"2010-08-07T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"341191":{"id":"341191","type":"image","title":"Research Horizons - Teraflop Troubles - investigating GPU threat","body":null,"created":"1449245595","gmt_created":"2015-12-04 16:13:15","changed":"1475895057","gmt_changed":"2016-10-08 02:50:57","alt":"Research Horizons - Teraflop Troubles - investigating GPU threat","file":{"fid":"200738","name":"teraflop_1.jpg","image_path":"\/sites\/default\/files\/images\/teraflop_1_0.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/teraflop_1_0.jpg","mime":"image\/jpeg","size":1529771,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/teraflop_1_0.jpg?itok=YuVEWHab"}}},"media_ids":["341191"],"groups":[{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"42941","name":"Art Research"}],"keywords":[{"id":"171380","name":"Spring 2010 Issue"}],"core_research_areas":[{"id":"39481","name":"National Security"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Cstrong\u003EResearch News\u2028\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EGeorgia Institute of Technology\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003E\u2028177 North Avenue\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003E\u2028Atlanta, Georgia\u0026nbsp; 30332-0181 \u0026nbsp;USA\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EMedia Relations Contacts:\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EJohn Toon\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003E\u2028404-894-6986\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003E\u2028\u003Ca href=\u0022mailto:jtoon@gatech.edu\u0022\u003Ejtoon@gatech.edu\u003C\/a\u003E\u2028\u2028\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EBrett Israel\u2028\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003E404-385-1933\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003E\u2028\u003Ca href=\u0022mailto:brett.israel@comm.gatech.edu\u0022\u003Ebrett.israel@comm.gatech.edu\u003C\/a\u003E\u003C\/strong\u003E\u003C\/p\u003E","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}