How the Bible and YouTube are fueling the next frontier of password cracking | Ars Technica
Tue Jan 21 12:22:38 2014 - permalink -
- combining several words such as "pinkyandthebrain," "pithecanthropus," and "moonlightshadow" : CRACKED via dictionary
- up to 8 characters : CRACKED via brute-force
- combining rare words such as "crotalus atrox" : CRACKED via a dictionary fed by Wikipedia
- phrases : "Am i ever gonna see your face again?" (36 characters), "in the beginning was the word" (29 characters), "from genesis to revelations" (26), "I cant remember anything" (24), "thereisnofatebutwhatwemake" (26), "givemelibertyorgivemedeath" (26), and "eastofthesunwestofthemoon" (25) : CRACKED
Passwords less than 13 characters can be brute force solved in 24 hours now.
- John the Ripper, Hashcat, oclHashcat-plus (Hashcat using GPU)
- word lists up to 1 billion entries (including Twitter, IRC logs, YouTube comments slang, misspellings, some garbage)
- 1.36 billion unique phrases from the first 15,000 books in the Gutenberg Project
Crackers said the biggest challenge is the work required to update and hone their phrase lists and rule sets to ensure that they can be processed quickly.
CHANGE PASSWORDS EVERY 90 DAYS (or even more often !!!)
So is "correct horse battery staple" still the right type of password to use? It doesn't seem like just stringing together a few dictionary words is sufficient any more. Surely putting together random, but common, dictionary words is in the cracker's arsenal as well.
There are ~750,000 words in the english language. Even without substitutions, capitalizations, or weird spacing, that represents about 10^23 combinations if you picked 4 at random. You could test a billion combinations a second and finish sometime in the next 4 million years. But you said common words...
Average adult vocabulary is 20,000-35,000 words. Let's assume that people who voluntarily test their vocabulary are probably on the high end of the bell curve in terms of word usage, and cut that low number in half. That leaves us with 10,000 words, and 10^16 ways to combine them (again if we picked just 4 at random to make our random passphrase). Generating a million hashes per second (pretty damn fast), it would take our cracker about 120 days to go through the combinations, and consume 284PB if he decides to store it as a lookup table. And that's just from choosing 4 random commonly used words. If you went to 5, or did decided to capitalize the first and last letters, or the first letter of every word, or put a random space in there, or included a "word" made up from the first letters of all the other words (i.e., "correct horse battery staple chbs")...well the numbers get astronomical very quickly.