Research claims that short passwords will soon be 'hopelessly inadequate', as it encourages multi-character logins

Opinion by Dan Raywood

It is always good to see information security stories feature in the national press, and one caught the eye at the end of last week.

It is always good to see information security stories feature in the national press, and one caught the eye at the end of last week.

In a story on BBC News at the end of last week, it highlighted findings by the Georgia Tech Research Institute which claimed that a password of seven characters or less will soon be ‘hopelessly inadequate', as the researchers said that the growing number of processors on graphics cards will soon make it trivial to crack short passwords.

The research found that a graphics processing unit (GPU) may soon compromise password protection as today's top GPUs can process information at the rate of nearly two teraflops - a trillion floating-point operations per second.

Richard Boyd, a senior research scientist at the institute, admitted that software programs designed to break passwords are freely available on the internet, but these programs combined with the availability of GPUs, mean it is only a matter of time before the password threat will be immediate.

He said: “We've been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places. Right now we can confidently say that a seven-character password is hopelessly inadequate - and as GPU power continues to go up every year, the threat will increase.”

Joshua L. Davis, a research scientist involved in this project, said that attackers know that many people use passwords comprising easy-to-remember lowercase letters, and code-breakers would typically work on those combinations first.

He said: “Length is a major factor in protecting against brute forcing a password. A computer keyboard contains 95 characters and every time you add another character, your protection goes up exponentially, by 95 times.”

Davis also commented that the best password is a sentence. David Bennett, director EMEA consumer business development at Webroot, agreed with this. He suggested at the very least building a secure password out of a simple sentence, something like ‘Today 29th July I lost my identity and £897 to a hacker' into ‘T29jIlmi&897TAh'.

He said: “This suddenly becomes a very secure password when you mix case, numbers and characters in what appears to be a random fashion. Using this method you can create several simple to remember phrases that build security – just remember to use a different phrase for each site.

“This is okay if you only have a few passwords to remember, however, how many of us only need passwords for one or two sites? I am sure I'm not alone in now needing multiple passwords for social media, banking, email, etc. and it's a challenge to remember them all. We see the industry moving towards cloud-based solutions that remember these long passwords for the user, so users don't need to remember those difficult passwords.”

Research by VeriSign Authentication of UK online adults showed that 39 per cent disagreed that ‘user name plus password' is a strong enough security measure.

Christian Brindley, regional technical manager EMEA at VeriSign Authentication (now a Symantec business), said: “A password is only one layer of security which criminals have proven they are able to bypass; either through brute force as the Georgia Tech researchers have demonstrated, or, often, simply by guessing.

“The current migration to cloud services should mark the end of the traditional username and password usage and drive the adoption of stronger internet security measures. One method that has been proven to work is strong authentication, which combines a user's log in details with a one-time password generated by a device such as a plastic token, credit card style device or even a mobile application. Once a second factor of authentication is introduced, the risk of account sharing and hacking of password reset tools is all but removed at source.”

Stephen Howes, CEO of GrIDsure, said that he found it to be ‘bewildering' that the institute recommended that passwords should become longer and more complicated.

He said: “This goes against every other trend that I have come across in my business and personal life towards making things more convenient and less complicated. Who is seriously going to remember the recommended 12 character strong password consisting of letters, numbers and symbols? It's a recipe for frustration and you can guarantee that users will either forget these passwords or, more likely, just write them down.

“Ultimately, no matter how long and complex you make a password, it can still easily be hacked or stolen by means such as shoulder-surfing or malware (keylogging, screen scraping and so on). I therefore believe that static passwords have no place in today's connected world and consumers should be offered more effective alternatives that offer better security without making their lives more complex or inconvenient.”

We have covered password security a lot in the past, after all a simple and ‘guessable' password can often be the only security to so many precious things. I certainly welcome the debate launched by the Georgia Tech Research Institute and that it was flagged by the BBC, so that this is given more of a chance to be read and considered by the public.

Whether they take any notice, or continue to click on a story from the entertainment section is instead anyone's guess.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events