-Armando
Did you read the article? Sorry, but this leaves the impression, for those who will only see your comment and not read the article, that this is a bad thing. As the article points out, this is meaningless. This only allows hackers to crack very small and very simple passwords - ones like 'EatMeat' - your basic letter only 8 character passwords. If you do the math, they would need to make this whole thing work 1,000 faster just to make it crack a password in a human's lifetime. Any reasonable password cannot be cracked in any reasonable amount of time. And it is very easy just to change your password today and turn it into a passphrase, making it almost impossible within your lifetime, to be cracked. For example, change your password from 'jE84%kd^' to "*IfYouAren'tFiredWithEnthusiasm,$YouWillBeFiredWithEnthusiasm." This is a random quote I grabbed and salted it with a '*' and a '$'. This is, to all intents and purposes, uncrackable via brute force.
-tinjaw
Okay, so I read the source article linked in Josh's post and I didn't get any of what you're saying. It left the impression to me that cracking passwords is a lot faster due to parallel processing.
It even says, in Josh's post:
The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer's central processing unit (CPU). By harnessing a $150 GPU - [...] - Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.
And the only hint I see about it taking a lifetime to crack a password is this:
Password cracking can be used to unlock data on a computer, but will not usually work on a banking or commercial website. This is because is takes too long to run through multiple passwords, and because a site will normally block a user after several failed attempts.
And the only reason it would take so long is because the banks and places would lock you out after a few attempts, and possibly flag the account for watch.
So I'm not sure where you're getting your info on a "reasonable" password taking an unreasonable amount of time to crack. Then again, I suppose that means I should ask your definition of a "reasonable" password.
Is "*IfYouAren'tFiredWithEnthusiasm,$YouWillBeFiredWithEnthusiasm." reasonable to you? Do you really want to type that in every time?
I'm probably slightly above average when it comes to passwords, thinking a mix of letters and numbers is reasonable. Strange characters would be good, and long strings of jumbled nonsense would be the best, but not from a usability standpoint.
EDIT: I typed this up while the previous comments were made. I'll read Jeff's blog now.