Cheap GPUs Rendering Strong Passwords Useless

StrongGlad writes with a story at ZDNet describing how it's getting easier to use GPU processing against passwords once considered quite strong. "Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called 'ighashgpu' and you have yourself a lean, mean password busting machine. How lean and mean? Working against NTLM login passwords, a password of 'fjR8n' can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

Re:If someone gets your hashed password..

[Fenis-Wolf]

You're aware of course that this is an offline attack? The way it works is you snag a hash as it goes across the wire (via man in the middle, client installed malware, or some other attack) then you take that hash and you calculate on your cracking machine passwords until you reach a password that matches that hash. Then the attacker takes your password and goes and logins with it. The server never sees 'billions passwords per second'.