Kill All The Passwords

It's time to kill all the passwords. That's the only real conclusion to draw from the work being done by Georgia Tech Research Institute researchers, who are using off-the-shelf graphics-processing cards to crack passwords by brute force. The time required to break an eight-character password: two minutes. A seven-character password--the minimum currently required by PCI-DSS for retailers to protect stored payment-card information--goes in seconds. One of the Georgia Tech researchers, Richard Boyd, called seven-character passwords "hopelessly inadequate."

In short, password security is no longer security. The clock isn't just ticking on every retailer's favorite cheap authentication scheme, it has run out. The answer isn't longer passwords; that's just a stopgap, and even if it works, it won't hold for long. Maybe Chip-and-PIN employee ID cards would do the trick. Even a mag-stripe-and-PIN approach could work. But whatever replaces passwords has to be cheap. And it must have a reasonable chance of keeping the bad guys away from information such as card data.

What's now clear is that passwords can't do that. It's just too easy and inexpensive to point huge amounts of processing power at the problem of password cracking, as the Georgia Tech researchers discovered.

Here's the scenario they were investigating: A thief gets access to a single account on a computer that contains an encrypted password file. He copies the file and then uses a computing farm that consists of hundreds of PCs equipped with consumer-grade graphics cards specially programmed to calculate the encrypted versions of all possible passwords of a particular length.

There's nothing new about using consumer-grade PC hardware to crack passwords and other encrypted data. Thieves have been doing that for years. It's so common that TJX thief Albert Gonzales was able to outsource his encryption cracking to someone else with a CPU farm who specialized in just that.

But the Georgia Tech researchers used high-end graphics cards, which have the computing power to blast through the necessary calculations at one hundred times the speed of a typical CPU. And because those calculations can all be done in parallel on a graphics processing unit (GPU), the job scales up nicely. A hundred times the number of graphics cards will finish the job in about a hundredth of the time. That makes cracking password files both faster and more affordable for thieves.

"If you assumed an eight-character password was secure before GPUs, that assumption is no longer valid," said Georgia Tech's Boyd.

Wait, it gets worse. Boyd said his team assumed the passwords would be the kind created to optimal specifications (highly random, using a mixture of all available letters, numbers and special characters) and protected with reasonably strong encryption such as MD5. That is, a best-case scenario for security.

But that's nothing like what retail IT people often deal with. Real users make their passwords as simple, easy to remember and trivial to guess as possible. And many retailers, especially in situations like restaurants, are still using PCs running Windows XP, which defaults to a password-encryption scheme called the LAN Manager hash. As encryption, "that's a joke," Boyd said.

The obvious conclusion: PCI-DSS Requirement 8.5.10--that retailers must use at least seven-character passwords on computers containing card data—is hopelessly out of date. GPUs have blown it away.

A less obvious conclusion: GPUs have blown away pretty much every other kind of password, too.

Here's why: You can try longer passwords, but they won't help. According to Boyd and his group, a very random 12-character password should be reasonably safe from a GPU-based brute-force attack, at least for now. (Boyd hastened to add that his team wasn't trying to identify what the best password security policy is, just to demonstrate that relatively short passwords aren't secure.)

But in the real world, long passwords have the same fatal flaws as short passwords. Users won't remember a 12-character random password (hey, they can't remember a seven-character random password). So users will write those long passwords on Post-Its and stick them to their monitors. And spell them out over the phone when they want a co-worker to check their E-mail. And recite them to a stranger in a bar who's playing a game of "who's got the weirdest password?"

These aren't new problems. In the age of the GPU, passwords aren't safe from brute-force cracking. But passwords have never been safe from social engineering.

So let's kill them. Passwords appear to be secure, but because of the way many retailers use them, they're not. Passwords appear to be cheap--no special hardware required!--though that's only if you don't measure how much time and manpower your helpdesk spends on password resets.

All you need is a replacement that's at least as secure and almost as cheap.

That cuts out security fobs and biometric readers. The cheapskates who have kept passwords alive for decades won't shell out for what they see as pricey hardware. But using a physical artifact is the right idea: those are much harder for employees to accidentally copy or give away.

How about using employee ID cards with a machine-readable element? It can't be a barcode; any would-be thief with a smartphone could scan that and duplicate it. An RFID tag could be just as risky.

That leaves two technologies that retailers know very well from payment cards: Chip-and-PIN and mag-stripe-and-PIN. Neither is perfect, but both are cheap. Chip-and-PIN requires a separate reader, but it's likely to be more secure. Mag stripes have the advantage that a PC keyboard with a mag-stripe reader costs about the same as any other PC keyboard; the downside is the risk of skimming.

Best of all, both technologies are familiar to retail IT and to users. And for users, replacing passwords with machine-readable employee IDs would represent a physical change?, one signaling that security is being taken a lot more seriously.