Needless to say the smartphone generation have had a huge impact on how IT Security needs to be able to evolve and control the usage and data-flows to such devices, and looking into the future it will not take long before we start discussing how organizations can extend bring your own device to private laptops and computers, making the IT organization the ISP and ASP within the organizations.However once in a while the consequences of consumer IT has a much more direct effect on how we do security and how we think security.
A good example is the recent projects that has come out on utilizing the GPU processing powers that our average PC Gamer Graphics Card possess.
A GPU is basically a CPU or Computing unit which is normally used to generate and calculate the images we see on the screen – Historically a very small part of the computing power our PC’s and laptops have…but then came gaming, and with gaming the requirement for more and more vivid graphics, 3D effects which meant that there was an explosion in processing power in the graphics card.
This specific requirement has meant that graphics cards have almost as much processing powers as our machines, and the GPU’s are also cheap and low form factor, making a GPU the perfect candidate for building a high performance computing platform.
As such there is nothing new in this, but the projects coming out a very interesting from a security perspective.
One of them is an open source project, which using 25 GPU’s and the OpenCL cluster platform have been able to enable developers to create a platform which can guess 350 billion windows password per second!
What does this means to organizations security? Well, 350 Billion Passwords per second translates into the capability of guessing every combination of characters to an 8 character length password within in 5.5 hours – Something we never though possible, especially not using normal consumer IT.
So what should you do? Well – Make your password longer would be the general response – And of course enforcing a longer password could be a good response…but there will undoubtedly be even more powerful GPU’s, even more computing power available at low cost meaning that in in a couple of months or years you would need to make your password even stronger…making security being even more difficult for the average user…
You could also rethink how you do your passwords? What if a password could only be used once, what if the password would be dynamic and changing constantly?
Would you then really care about the GPU’s available at low costs to attackers?
The difference in the two approaches is that the one response will be a permanent response to the issues faced delivered by strong architecture and understanding the root cause that we will never be able to deliver strong security if we just react.
For some great reading please refer to the following links: