7-character passwords soon to be hopelessly inadequate

The increasing processing power and the growing number of processors on graphic cards will soon make 7-character passwords “hopelessly inadequate” to withstand brute force attacks, say scientists from Georgia Tech Research Institute.

No combination of alphanumeric characters and symbols will be save users who choose such a short password, because these stream processors work simultaneously in order to process images, and can try out the various combinations of characters and symbols needed to discover a password in a much shorter time than ever before.

The graphics cards of today have the processing power that a decade ago only multi-million dollar supercomputers had, says Richard Boyd, the leader of the team, for BBC.

The researchers advise users to start using 12-character passwords that combine lower and upper case letters, numbers, and symbols. But ultimately, even this will not be enough. CPU power grows every year, and it’s only a matter of time until users are forced to pick entire sentences as passwords.

Seeing how the typical user rarely listens to this kind of advice, I predict that online services will have to mandate a much higher minimum requirement for passwords. But, on the other hand, password strength is a lesser problem than phishing and social engineering schemes at the moment, and that should make user education a primary goal for security professionals.