The word on passwords: Why eight isn’t enough

Stolen credentials are among the most popular items for cyber attackers. The best way to get them, until recently, has been tricking victims through phishing attacks to give them up. Usually, having a password of at least eight characters with a mix of upper and lower case letters, a number and a special character is safe enough.

However, thanks to the power of graphic processors, the ability of hackers to efficiently crack a password with a dictionary attack has been increased. A writer at this week’s RSA Conference 2015 found that out at a vendor booth which demonstrated the power of a password cracking server it has assembled.

It has four ATI Radeon R9 290x GPUs; 32GB RAM; two six-core Intel E5 processors; and a 2TB RAID array. It can do 47.708 Billion hash guesses per second. Armed with  four custom built dictionaries with a combined total of 6,316,324,295 entries, all of the password cracking tools and rules they use are commonly available and in a lot of cases open source.

The result? Four of five hashed MD5 passwords the writer created for a test were cracked in less than five minutes. That included a nine character scrambled creation, as well as P@ssw0rd (the 0 is a zero). That five-minute stat that should be passed by a CSO on to an organization’s staff.

So what’s the solution? Two-factor authentication — particularly for those who have access to sensitive data, as well as for network devices like routers — will be a big help, no matter what the cost is for the organization to implement it. So will longer scrambled passwords.

There is no doubt, though, that CSOs have to re-think corporate password strategy to emphasize eight is no longer enough.

Read the full story here. 

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web