A couple of months ago, our very own Jason Ede wrote a great article on password security and just how easy it is for hackers to gain access to personal information. By gaining access to hash databases and using software such as popular hacking tool “Hashcat”, it becomes a matter of time before hundreds of passwords are decoded. A new modification to the popular software has vastly improved its cracking capabilities, leaving a lot of people vulnerable to attack.
55 Character Cracking
In the recent update, developers have now made it possible for the software to be able to crack passwords of up to 55 characters in length. This is a significant jump from the 15 character scope in previous versions, but what does this mean for user security? Well, simply, lengthy passwords are no longer immune, and “pass-phrases” are almost as easy to crack as short passwords. It has been demonstrated that Hashcat is able to crack long phrases taken from novels and common expressions from pieces of literature as hackers enter large numbers of sources for their “dictionaries”. Many people have turned to using phrases as passwords in order to combat vulnerability, but this development poses a new threat to the reliability of the traditional password.
8 Billion Guesses Per Second
According to arstechnica.com users of the new version of hashcat, with the right equipment will be able to conduct as many as 8 billion guesses per second. The lead developer of Hashcat has stated that increasing the maximum length was the most requested improvement by its users, and now that it has been implemented the security level of many passwords has been decreased. David Harley, a senior researcher at IT security company ESET has said:
I’ve been saying for a long time that while passphrases can offer better protection against password cracking than a simple password, it’s easy to over-estimate the usefulness of that measure.
The longer the password, the longer it usually takes to crack, but once the hash database is in the hands of the crackers, time is not an issue. With this type of software being improved constantly, perhaps it is time we looked to two factor authentication as standard, or a move away from the password altogether.
There are ways to protect yourself, such as using uncommon phrases and increasing the number of numerical characters and symbols you use. Using a different password for every site is recommended too as once a hacker has your details, your entire online presence is in danger of being compromised. Refer to Jason’s article for more tips and information on how to build a strong defence.
Sources: http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/ http://www.welivesecurity.com/2013/08/27/even-long-passwords-can-be-cracked-quickly-as-hashcat-app-upgrades/#