- Improved hardware using GPU processors, and
- Huge lists of real world passwords that provide guesses and reveal the patterns that users favor when choosing passwords.
Consider the Project Erebus v2.5 computer used to win this year’s Crack Me If You Can contest. It has 8 AMD Radeon HD7970 GPU cards, costs just $12,000, and can brute force the entire 8 character (lower case, upper case, symbols, numbers) NTLM keyspace in just 12 hours. Think about that. If you have a password protecting something important and it’s less than 8 characters, you might as well not bother.
The other thing affecting cracking efficiency is the recent release of millions of real word passwords gathered from the exploits of Gawker, Sony, LinkedIn, and others. This helps in two ways. First, it provides a dictionary of potential passwords to try. Second, it gives insight into how users choose their passwords. It turns out that there are some very common patterns in use and knowing these patterns makes it easy to automate the generation of trial passwords using those patterns.
Be sure to follow the link and read the Ars Technica article. It’s a bit long but there’s a lot of really good information in it. The conclusion that the article reaches is that you can still have a secure password if
- you use a password manager such as 1Password or PasswordSafe to generate long random passwords, and
- you never reuse passwords across multiple sites. Password managers make this easy so it’s yet another reason to use one.
If you have any on-line presence at all, you really need to read this article. It will scare you into password sanity.