Long passwords don’t offer “safe option” as cracker app upgrades

The popular password-cracking app Hashcat has “upgraded” to passwords up to 55 characters – meaning that long passwords (for instance those made up of sentences), can be cracked far more quickly.

“Adding support for passwords longer than 15 characters was by far one of the most requested features,” Hashcat’s developers said in the application’s release notes.

“We resisted adding this “feature”, as it would force us to remove several optimizations, resulting in a decrease in performance for the fast hashes. The actual performance loss depends on several factors (GPU, attack mode, etc), but typically averages around 15%.”

Long passwords have been a “last refuge” for people hoping to stay ahead of current trends in password cracking – where cybercriminals have a limitless number of “guesses” in attacks against lists of leaked passwords. Long passwords, while not invulnerable, can take longer to break.

This release may speed up the process considerably, according to Ars Technica’s Dan Goodin. Researchers have shown that it is possible to guess long and cryptic passwords such as “thereisnofatebutwhatwemake” and the fictional occult phrase from cult horror writer H P Lovecraft, “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1”, according to Goodin’s report in Ars Technica

“I’ve been saying for a long time that while passphrases can offer better protection against password cracking than a simple password, it’s easy to over-estimate the usefulness of that measure,” says ESET Senior Research Fellow David Harley. “Many of the techniques used in password cracking are perfectly usable when trying to crack a passphrase, even though in many cases they’ll take significantly longer.”

“It’s as easy for a dictionary to include common phrases as it is to list single words. Fuzzy matching algorithms can catch simple-to-fairly-complex variations. Common techniques for improving entropy such as character substitution (for and by spaces/delimiters, punctuation etc as well as words) work as well on long phrases as on short strings. Basically, however good your passphrase is, your opponent is a system with infinite patience and the ability to try huge numbers of variations per second, not Sandra Bullock or David McCallum making smart guesses at what keywords might appeal to you. If the attacker isn’t restricted in the number of cracking attempts he can make, as when a password database is compromised, it’s more about what resources he can throw at your passphrase than it is about how many characters you used.”

“This has always been the case: all that’s happening here is that the difference in crackability between a six-character password and a 50-character passphrase is remorselessly narrowing as more cycles and better algorithms become available.”

Author , We Live Security

  • Coly Moore

    Yes but. The cracker has to try each of millions of wrong guesses. Most sites will block an IP for 5 minutes or so after 4 or 5 unsuccessful logins. That means that the cracking has to proceed rather slowly. On our site I get an alarm after 100 total failed logins in one day and I can then block the IP at the server. I imagine most important sites have similar security arrangements.

    • Indeed. Some services will disable an account after (say) three failed attempts to authenticate. Which is why I said ” If the attacker isn’t restricted in the number of cracking attempts he can make, as when a password database is compromised.” Actually, even where there is no limit on the number of login attempts, the time needed to go through the authentication process each time seriously impairs the speed and effectiveness of a cracking program. But that’s not the issue here. The kind of cracking discussed here comes into play when a password database has been captured, as has happened so many times in recent years. The attacker normally uses it to identify passwords offline, i.e. long before he ever goes near the live account.

      • Coly Moore

        I see that you do say “If the attacker isn’t restricted in the number of cracking attempts he can make, as when a password database is compromised” and that your article really only applies to those cases. I think many people, like me, will overlook that since it doesn’t appear until the end of the 7th paragraph and isn’t in the headline. Thanks for your clarification.

        For online cracking of individual accounts there are of course easier ways, such as using a trojan to steal the password store on a browser. But that is a different matter.

        • Well, I didn’t actually write the article. :) I think that’s a fair point, though. Sometimes what’s obvious to us, as a security company – i.e. that this kind of cracking is usually done offline – isn’t so obvious to people who aren’t immersed full time in security issues. We do try to bear that in mind, but it’s sometimes hard to remember when some of our articles are clearly only of interest to a specialist audience and some are clearly of more general interest.

  • Long password don’t matter. It’s also useless to include upper care, numbers, or special characters. They’re all worthless as long as companies use easy to research security questions like “Where were you born” or “Where did you go to high school”. The company that handles my bank access honestly asked me for my mothers maiden name.

    • I agree that easily guessed/researched secondary questions aren’t very useful as authentication for someone needing to have their password reset, for instance. A lot of financial institutions are gradually migrating to better challenge-response options and augmentation of static passwords with some form of multi-factor authentication, though. And about time too… I guess that some smaller banks, credit unions etc. are probably still some way behind the curve, though.

    • Julia Hayward

      Then use cryptic or false answers to those questions – they don’t care…

  • Neal O’Farrell

    Good article, good argument, but seemed to miss the point about passphrases. They were never supposed to be literal or common phrases that might be in common use somewhere. They were supposed to be based on a statement by the user about the user. Take a long phrase about yourself or something you like, that would be almost impossible for a stranger to know or guess, then make some kind of selection from that phrase – every first letter + all numbers etc. How does a dictionary attack threaten this type of passphrase?

    • That’s a better approach than using a common phrase literally – a well-thought out passcode generation scheme is usually more resistant to cracking – but hashcat is a lot more than a simple dictionary attack. The news here isn’t really about the nature of passphrases: it’s about the extended 55 character space now available to hashcat+ to try its full arsenal against.

  • JOn

    how long will it take to crack a password at least 65 characters long?

    • That entirely depends on the hardware and software you throw at it.

Follow us

Copyright © 2017 ESET, All Rights Reserved.