Wired is reporting that the password cracking program “ocl-Hashcat-plus” is now able to crack passwords up to 55 characters long. The importance of strong, unique passwords is not lost on people who use managed laptop disk encryption like AlertBoot FDE. However, at some point, one has to wonder whether lengthier passwords are the answer to data security.
8 Billion Guesses per Second
Prior to the latest release, the password cracking program “ocl-Hashcat-plus” (Hashcat) had a limit on passwords it could guess. According to the creators of the program, a 15character limit was placed on purpose, as increasing the character count would “[result] in a decrease in performance.”
However, the demand for cracking longer passwords finally won over. The improvement depends on the hash algorithm that’s being targeted, but “the maximum can grow as high as 64 characters or as low as 24,” according to wired.com. (This does not imply that passwords shorter than 24 characters are somehow more secure. There are other password cracking software other than Hashcat, after all.)
It is further being reported that Hashcat can achieve password cracking speeds of eight billion guesses per second. How much damage can the software deliver?
ocl-Hashcat-plus targets a much wider number of popular cryptographic products and applications, including TrueCrypt 5.0 and beyond, 1Password, Lastpass, the SHA256 algorithm in the Unix operating system, and hashing operations found in the latest version of Apple’s OS X operating system.
Yikes. As another metric, wired.com is reporting that the 14.3 million passwords that were leaked in the RockYou list can be cracked in 65 seconds.
Time to Salt Your Own Passwords?
A couple of passwords that were cracked using the newly released Hashcat are “thereisnofatebutwhatwemake” and “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1,” which come from a H.P. Lovecraft story (well, that and the number 1. I guess someone’s password policies required the use of letters and numbers).
Now, it could be that these two passwords were not “salted” and thus were “easy” to crack. However, when you consider that Hashcat can go through 8 billion passwords per second, and are less than 55 characters long, it stands to reason that they could have fallen regardless of salting – especially if the same salt is applied to all passwords stored by a company.
If the above two passwords cannot stand… aren’t we all doomed? The only sensible answer is to start using passwords that are even longer than 55 characters. Good luck remembering that…
A simple remedy may lie in the use of salts, though: You start salting your passwords yourself. For example, why create a new password that is longer than 55 characters when you can take your old one and stretch it out?
Take “thereisnofatebutwhatwemake” as an example. If you decide your salt is “firefly,” then the password could now be “therefireflyisfireflynofireflyfatefireflybutfireflywhatfireflywefireflymake” which is 75 characters long and as easy to remember as the old password, if a bit unwieldy.
The problem? At some point, passwords are going to become too long for humans to use. It’s the reason why AES-256 encryption keys are not chose by people; instead, they’re randomly generated by computers.