The popular password-cracking app Hashcat has “upgraded” to passwords up to 55 characters – meaning that long passwords (for instance those made up of sentences), can be cracked far more quickly.
“We resisted adding this “feature”, as it would force us to remove several optimizations, resulting in a decrease in performance for the fast hashes. The actual performance loss depends on several factors (GPU, attack mode, etc), but typically averages around 15%.”
Long passwords have been a “last refuge” for people hoping to stay ahead of current trends in password cracking – where cybercriminals have a limitless number of “guesses” in attacks against lists of leaked passwords. Long passwords, while not invulnerable, can take longer to break.
This release may speed up the process considerably, according to Ars Technica’s Dan Goodin. Researchers have shown that it is possible to guess long and cryptic passwords such as “thereisnofatebutwhatwemake” and the fictional occult phrase from cult horror writer H P Lovecraft, “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1”, according to Goodin’s report in Ars Technica
“I’ve been saying for a long time that while passphrases can offer better protection against password cracking than a simple password, it’s easy to over-estimate the usefulness of that measure,” says ESET Senior Research Fellow David Harley. “Many of the techniques used in password cracking are perfectly usable when trying to crack a passphrase, even though in many cases they’ll take significantly longer.”
“It’s as easy for a dictionary to include common phrases as it is to list single words. Fuzzy matching algorithms can catch simple-to-fairly-complex variations. Common techniques for improving entropy such as character substitution (for and by spaces/delimiters, punctuation etc as well as words) work as well on long phrases as on short strings. Basically, however good your passphrase is, your opponent is a system with infinite patience and the ability to try huge numbers of variations per second, not Sandra Bullock or David McCallum making smart guesses at what keywords might appeal to you. If the attacker isn’t restricted in the number of cracking attempts he can make, as when a password database is compromised, it’s more about what resources he can throw at your passphrase than it is about how many characters you used.”
“This has always been the case: all that’s happening here is that the difference in crackability between a six-character password and a 50-character passphrase is remorselessly narrowing as more cycles and better algorithms become available.”
Author Rob Waugh, We Live Security