A team of researchers at Georgia Tech Research Institute is investigating whether passwords are now worthless, given the supercomputer-like performance now available to hackers using standard desktop graphics cards.
"We've been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places," said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute (GTRI).
"Right now we can confidently say that a seven-character password is hopelessly inadequate - and as GPU power continues to go up every year, the threat will increase."
The researchers have warned that software development kits simplify coding graphics cards to run general purpose applications rather than just graphics, which makes it easy to harness their power for hacking, according to Boyd.
This new capability puts power into many hands, he says, and it could threaten the world's ubiquitous password-protection model because it enables a low-cost password-breaking technique that engineers call "brute-forcing."
In brute-forcing, attackers can use a fast GPU (or even a group of linked GPUs) combined with the right software program to break down passwords that are excluding them from a computer or a network.
The intruders' high-speed technique basically involves trying every possible password until they find the right one.
Christian Brindley, Regional Technical Manager EMEA at VeriSign Authentication, said, "Lots of people think that they have a solid password - over 12 characters long, including a combination of letters, numbers and cases to increase their strength.
"However, in today's world passwords are simply not enough to protect sensitive information on their own. In fact, VeriSign research of UK online adults showed that 39% of us disagree that 'user name plus password' is a strong enough security measure.
"A password is only one layer of security, which criminals have proven they are able to bypass - either through brute force as the Georgia Tech researchers have demonstrated, or, often, simply by guessing.