Cheap GPUs are rendering strong passwords useless

http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?

Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.

Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Why do I have to call the IT department to unlock my PC after three failed login attempts, but some asshole on the outside with a GPU gets 3.3 billion tries?

your 8 digit password plus things like locks after 3 login attempts protects you against the casual person trying to access your account.

That will not help against a highly sophisticated attack that gains them access to the root of the server or breaks into the database that stores the passwords (in a format called hashes) and then uses a GPU to brute force the password. There are defenses against those things and even warning software that alerts you if someone is attempting those kinds of attacks to begin with so that you can take additional defensive measures.

If I'm flat out guessing at the password, chances are good that I won't stumble upon it in four or nine or twenty attempts, so what possible benefit could this three-strikes security provide, except to fuck me up while I can't remember my password & have a customer on the phone?

been able to see the whole thing, etc.

Most attempts at brute forcing passwords are very unsophisticated. There are lists of the most common 500 and most common 5000 passwords available on the internet and people will use software + lists of common passwords to try to bruteforce your password that way. Locking after 3, 5, or 10 attempts makes those methods impractical

If I thought it was worth it I'd put a fingerprint scanner on my computer to use for access - if the really important places like my bank added it to their security, that is.

of a scenario. I'd rather not lose a finger, hand or eye because someone really wants to get at data to which I have access.

Mythbusters did it with a xerox copy of a thumbprint!
http://youtu.be/LA4Xx5Noxyo