Password Cracking Improvements

The art of password cracking has improved faster than I ever imagined it could. A few years ago I was recommending switching to passphrases instead of passwords. Then, I was recommending adding padding to passphrases. Now, these technics are no longer acceptable. You really need to allow a password safe to generate long random passwords for you.

Much of the new power comes from new software, especially OCL-Hashcat in its various forms.

Ocl-Hashcat-plus is fantastic cracking program able to make test 223,000 password candidates a second, so it could check the most common 14 million passwords in about 1 minute on a slightly enhanced home computer costing well under $2,000. It will attack up to 55 character long passphrases. It will use dictionaries, brute force attacks and combination attacks. An example of a combination attack would be to check a million password database and add all the numerals from 0 to 9999 to the end of each one.

This program is free, and includes source code, support forums and training videos. Using it, researchers have cracked passwords such as: "thereisnofatebutwhatwemake." (From the movie Terminator 2 and "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1." (from a Lovecraft short story)

One helpful feature of this program is its ability to tailor the attack using the restrictions set by company policy. There is a toolkit available with many company policy restrictions in it. So, for example, if your company requires passwords from 8 to 16 characters and including at least one numeral, upper and lower case but disallowing symbols, then OCL-Hashcat will adapt to those restrictions, vastly speeding up the crack.

It also targets specific password algorithms and has special routines for many widely used programs.

How do we need to respond?

Make one super password you can remember and type into your mobile device, and then let your password manager create long random passwords for you. No need to remember any of them.

I use Keepass for my password manager and have written extensively about it. For Android Mobile use I recommend Android2Keepass offline. It has the wonderful innovation of allowing you to use a Quick Unlock feature. The program closes automatically after a few minutes, but I can re-open it using the last 3 or 4 characters of my password. This makes it much more useable on a phone or tablet. Android2Keepass offline is fully compatible with the desktop Keepass program so you do not need to maintain a separate database for your phone or tablet.

There are many IOS applications which will also support Keepass databases for use on Apple phones and tablets.

Related Article

ArsTechnica: Turbo Charged Cracking

Date: October 2013

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Password Cracking Improvements The art of password cracking has improved faster than I ever imagined it could. A few years ago I was recommending switching to passphrases instead of passwords. Then, I was recommending adding padding to passphrases. Now, these technics are no longer acceptable. You really need to allow a password safe to generate long random passwords for you. Much of the new power comes from new software, especially OCL-Hashcat in its various forms. Ocl-Hashcat-plus is fantastic cracking program able to make test 223,000 password candidates a second, so it could check the most common 14 million passwords in about 1 minute on a slightly enhanced home computer costing well under $2,000. It will attack up to 55 character long passphrases. It will use dictionaries, brute force attacks and combination attacks. An example of a combination attack would be to check a million password database and add all the numerals from 0 to 9999 to the end of each one. This program is free, and includes source code, support forums and training videos. Using it, researchers have cracked passwords such as: "thereisnofatebutwhatwemake." (From the movie Terminator 2 and "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1." (from a Lovecraft short story) One helpful feature of this program is its ability to tailor the attack using the restrictions set by company policy. There is a toolkit available with many company policy restrictions in it. So, for example, if your company requires passwords from 8 to 16 characters and including at least one numeral, upper and lower case but disallowing symbols, then OCL-Hashcat will adapt to those restrictions, vastly speeding up the crack. It also targets specific password algorithms and has special routines for many widely used programs. How do we need to respond? Make one super password you can remember and type into your mobile device, and then let your password manager create long random passwords for you. No need to remember any of them. I use Keepass for my password manager and have written extensively about it. For Android Mobile use I recommend Android2Keepass offline. It has the wonderful innovation of allowing you to use a Quick Unlock feature. The program closes automatically after a few minutes, but I can re-open it using the last 3 or 4 characters of my password. This makes it much more useable on a phone or tablet. Android2Keepass offline is fully compatible with the desktop Keepass program so you do not need to maintain a separate database for your phone or tablet. There are many IOS applications which will also support Keepass databases for use on Apple phones and tablets. Related Article ArsTechnica: Turbo Charged Cracking Date: October 2013 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk