A new study of password cracking by Vijay Devakumar has shown that modern graphics cards may have rendered even tough passwords easy to crack. Tools such as IGHASHGPU can reduce the time taken to break an NTLM password used on Windows networks from a virtually impossible period to a realistic period. Using a strictly mid-range chip like the Radeon HD 5770, a very tough nine-character password can shrink from 43 years to 48 days; a five-character alphanumeric but random password can be broken in as little as 24 seconds.
More advanced GPUs like the Radeon HD 6970 could crack the password even faster. Future graphics hardware is also likely to worsen the situation as cheaper cards and notebook-level graphics become quick enough to break code in similar amounts of time. Higher-end Radeon HD mobile chips are already at or somewhat beyond the speed of the desktop 5770 used in the test.
The speed-up comes from the nature of modern graphics chipsets. Most from AMD and NVIDIA are based around many-core processors that are increasingly generalized and capable of handling non-GPU tasks, such as decryption or video encoding. Platforms like Mac OS X Snow Leopard and Windows 7 with DirectX 11 have built-in support for the technique and can see major improvements in performance for optimized apps both friendly and hostile.
The speed is potentially dangerous since it would be difficult to defeat through policy requirements. As even very complex, hard to remember passwords could still be broken in a reasonable amount of time, any solutions would have to go beyond the password itself. Hardware authentication, such as on-chip verification or a fingerprint reader, might be necessary for truly high-security areas.
