Over the past couple of months, Dan Goodin wrote two articles in Ars Technica about password and passphrase protection that have been widely quoted in the tech media. (We link to the longer one of them below.) The articles were prompted by the release of a new version of Hashcat, a password cracking program that can now recover passwords up to 55 characters long. Because software like this keeps making password cracking easier, it is common to see recommendations that users instead use a passphrase – a long series of words that is easier to remember than a single complex password. But if passphrases are too easy, they may not be any better protection than passwords.
- How the Bible and YouTube are fueling the next frontier of password cracking (Ars Technica/Dan Goodin) “As awareness has grown about the growing insecurity of passwords that were presumed strong only a few years ago, many people have turned to passphrases, often pulled from what they believe are overlooked songs, books, or other sources. The idea is to generate a long passcode that contains upper- and lower-case letters and possibly punctuation that’s nonetheless easy to remember. This turns out to be largely an exercise in futility. As is the case with passwords, the same thing that makes passphrases easy to remember makes them susceptible to easy cracking.”
- Books and Youtube are supplying password crackers with billions of passphrases (Tested/Wesley Fenlon) “And now crackers have discovered that resources like the Bible, Wikipedia, and the Gutenberg archive provide millions of phrases that people may use for passwords, believing that they’re long enough to be secure or unknown enough to be unguessable. ‘Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1’ from H.P. Lovecraft is a prime example. No computer could bruteforce such a complex password string, but no computer will have to – once that phrase is in a dictionary, it’s easy to crack.”
- Is it truly, finally, sadly, game over for passwords? (Neal O’Farrell) “A passphrase should not simply be a statement or saying that you read somewhere or remembered from childhood. Because if it’s been used before, chances are it’s already in a dictionary and could be guessed. A real passphrase is supposed to be something about you and your life that is unlikely to be on the internet and guessable by a hacker. And taking it one step forward, and one very crucial step, you don’t use the exact passphrase but only selected elements.”
- Password cracker cracks 55 character passwords (Infosecurity) “What the new version of hashcat demonstrates is that size is no longer as important as it used to be – it’s what the user does with the characters that matters. Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols.”
Hashcat claims to be the world’s “fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker.” It’s also free.