Computer power has evolved (and keeps evolving) at an amazing pace. But all that power can be put to use in areas you'd might not want to: like cracking passwords. A decade ago it would seem crazy to try and crack all the possible variations of a 8 character password... today, with the help of the all mighty GPU processing prowess it can be easily done.
This has pushed users into choosing longer passwords. As each extra character you add makes it exponentially harder to crack - and some said the trick would be using pass-phrases instead of pass-words. A phrase is more easily remembered, and it will span dozens of characters, making it nearly impossible to crack... until now.
You'd think choosing a password like "thereisnofatebutwhatyoumake" or evn "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!" would keep you safe. But you'd be wrong.
There's a new version of the popular ocl-Hashcat password cracking program - the ocl-Hashcat-plus - which can now attempt to crack passwords up to 55 chars long (previous versions were limited to 15 chars maximum). These programs can either try and find your password by trying every and all possible leter/number/symbol combination... but that quickly becomes unfeasible for long passwords.
So, the trick is using popular words, passwords, phrases, and several common variations (such as adding a 2 digit number at the end; or replacing some leters by numbers ("E" for "3" and such), as well as applying some common patterns; to narrow down the possibilities from the "quadrillions" to the more manageable billions.
Using a regular PC with two AMD HD 6990 graphic cards, the ocl-Hashcat-plus can test over 223k passwords per second, allowing you to go through the entire 14.3 million passwords of the "RockYou" dictionary in about a minute). That's why a password like "thereisnofatebutwhatyoumake" (from the Terminator movie) or even the cryptic "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!" (from H.P. Lovecraft's The Call of Cthulhu) can now easily be found.
You can test your passphrase simply by searching for it on Google: if it is found anywhere and returns any results, you better change it to something else.
Just keep in mind this type of password attack requires the access to a password database. Meaning, it isn't something that hackers use to login to your account on Facebook or Gmail. This only works if they have access to the service database, meaning there has already been a security breach - something that unfortunately is becoming increasingly common, and with each newly found password, those attack dictionaries grow and make it easier for everyone else to find similar passwords on other services.
[via Ars]
No comments:
Post a Comment