Password breaker successfully tackles 55 character sequences

Password breaker successfully tackles 55 character sequences

Summary: In a time where businesses and individuals are using longer passwords to protect their accounts, we're reminded how quickly cybercrime is evolving.

TOPICS: Security

Choosing a difficult password might not be enough to protect our accounts in the future.

We are admittedly often lax when it comes to choosing difficult-to-guess passwords, and we forget to change them on a regular basis. Rather than trying to remember complex sets of words and numbers, a worryingly high number of us use very simple phrases to protect accounts ranging from email to social media and those used to access corporate systems.

In a survey last year, security software developer Splashdata found that the most common passwords used in 2012 included "qwerty," "12345678" and "Password1" -- phrases that wouldn't require a code breaker to guess. However, thanks to the updated password cracker ocl-Hashcat-plus, even more complex combinations are unlikely to protect targeted data.

As reported by Ars Technica, the easily available password breaker ocl-Hashcat-plus has received a series of improvements which allow it to accommodate passwords of up to 55 characters.

The ocl-Hashcat-plus version of the password cracker has previously been limited to solving sequences of up to 15 characters. This quicker variation of Hashcat and Hashcat-lite, released over the weekend, has the potential to crack passwords of up to 64 characters -- depending on the hash being targeted.

In the release notes, lead Hashcat developer Jens Steube said that support for passwords longer than 15 characters was "by far one of the most requested features" in the update.

"We resisted adding this "feature," as it would force us to remove several optimizations, resulting in a decrease in performance for the fast hashes," Steube writes. "The actual performance loss depends on several factors (GPU, attack mode, etc), but typically averages around 15 percent."

After modifying 618,473 total lines of source code over six months, the new version is able to conduct eight billion guesses per second on a high number of hashes, and attacks can be tailored depending on which firm has been targeted. Named the Password Analysis and Cracking Kit (PACK), this update optimizes the password cracking process, rather than breaks sequences itself.

The update also supports a number of new algorithms, including targets TrueCrypt 5.0, 1Password, Lastpass, MacOSX v10.8, Microsoft SQL Server 2012 and Samsung Android Password.

Perhaps eventually the only solution to password theft will be to go back to the physical realm for security. Google is one such company looking at new ways to scupper hacker efforts by developing password-replacing jewellery that would open your account through a system of authentication potentially more difficult to breach.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So, explain to me how you can hit

    An account with eight billion guesses a second without locking yourself out?
    • Simple

      By not making the guesses to the account but rather the computer's stored password "hash".
      • multiple steps

        There are multiple steps involved.

        First step is to access the hashed password. Depending on what it is used for this step can be anywhere between trivial and nearly impossible. When notiing else works, bribery or court orders may do the trick.

        Second step is to find a password that results in the hashed password previously obtained. This is always possible and may be trivial or computationally very expensive (takes years to find a match using a supercomputer). As computers get faster and as mathematical ways to simplify the calculation are discovered, it becomes easier to find a matching password.

        Third step is to use the password, assuming it hasn't been changed since step 1.
    • It's local

      You grab the hashed passwords, then you brute force on your local machine until you discover the password that yields the encrypted password. Then you use that to login on the live server.

      The machine doing 8 billion guesses is your machine, not pinging the targeted server.
      • You grab the hashed passwords

        I am amazed at how people can just walk into your network, log on to your server, and then make a copy of your password file!
        • You're missing the obvious vulnurability: users

          As much as the high-tech approach gets all the attention, remember that low-tech or no-tech hacking is still generally easiest.

          Just wear a fake AT&T uniform with a fake AT&T badge. Show up to the front desk and tell the receptionist to let you into the wiring closet. Now you have physical access. You can do virtually you want now. Install a network sniffer, a physical keylogger, etc. If it's late in the day, you might even be able to get away with shutting the server off and cloning its drive. Along the way, act like you're working on phones and go into empty offices. Inevitably, one of them is unlocked and if none of them are, the custodian might let you in without much questioning. Chances are somebody (probably middle management) posted a sticky note with their username and password on their monitor. Sometimes you'll find said sticky note under their keyboard or in their (unlocked) top desk drawer since, after all, nobody would EVER look there.

          Heck, if you want to steal a user's credentials, there's an even easier way to do it: just ask for their password. Use Google to find a staff directory. Call up a sorta important sounding person, tell them you're a new employee at the IT department and you need their user name and password to solve some sort of problem.

          For maximum success likelihood, try this trick on an employee (again, middle management employees are a good choice) at 5:00 on a pleasant Friday afternoon. Come up with some techy sounding excuse ("Blue screen of death", "viruses", "hackers", "ping timeouts", "raccoons in server room destroyed a layer 3 switch", whatever). Talk to said middle manager for a few minutes feeding him techno-jargon. Then say "Tell you what, I know we're not supposed to share passwords but since it's almost closing time on a Friday and I know you probably want to go home. Just give me your user name and password and I'll take care of it."
  • Passwords

    ocl-Hashcat-plus has the potential to crack passwords of up to 64 characters.

    This is why all my passwords have 65 characters...

    Charlie, it's been proven that being forced by company policy to change passwords regularly leads to less secure passwords.
    • By the way, it was a dictionary attack

      It didn't crack those 55 characters at random, it was a known phrase in a dictionary.
    • Enforce strict minimum requirements for passwords

      That's why you put strict requirements around what is an acceptable password.
  • Keep in mind . . .

    Keep in mind - just because they said "oh, we'll allow you to try those 55 character passwords" doesn't mean they've solved the "but the universe will have died a heat death long before you crack a completely random 55 character password" problem.

    In fact, if you read the Ars Technica article - they actually *LOST* some of the performance of their algorithms by allowing them.

    If you compare how many possible combinations there are to 55 characters with the 8 billion combinations per second - it becomes obvious that you're not gonna be brute forcing 55 characters any time soon.

    Can we not have the unnecessary scare tactics please?
  • Simple defence!

    Surely simply limiting the number of attempts before freezing the sign in process stops even the cleverest crooks, surely that could be built into every program as standard!
    dumb blonde
    • This is about offline attacks.

      Pretty much anything that's available online does that.

      But what happens if hackers steal your database? They have no such limitations. There's no "sign in process" to a big blob of data.

      This is about offline attacks.
    • Certainly Not Dumb

      Of course, you are correct. Most financial websites close down access after three attempts at logging in.
  • nice post

    Good computer tracking software will help you to log and trace all your computer's activities and IP address even though you are away from your computer. it is now widely used in office to ensure employees work hard during working hours. If you wanna computer tracking software, you can visit anykeylogger.
  • That's dictionary attacks, though...right?

    Reading the source article, it sounds like it's cracking based on lists. Would it really be able to crack a password like tztY&
    • D'oh!

      The password I typed in was much longer - 24 characters of gibberish - but the forum chopped it off. Could this cracker successfully crack a long (16+ character) password made of nothing by random letters, symbols, and numbers?
      • a little fun with calculations and google...

        If you assume any combination of the easily accessible characters and symbols on the keyboard that might be used in formulating your password (a total of 94) and the cracker can try 8 billion per second (8*10^9) then formula would be: (94^passlength)/(8*10^9)/60secs/60mins/24hours/365days/num-years.


        A 9 character password of the randomly accessible characters would up to just over 2 years. (94^9)/(8*10^9)/60/60/24/365/1= 2.27 years. A 10 character password? 213 years. 11 characters? 20068 years. 11 characters? 20068 years. 12 characters? 1.8 million years. 55 characters? 9.6253114e+98 times the age of the universe.

        Pass phrases like: "The quick brown fox jumped over the lazy blue dog." with punctuation but with out any cumbersome special characters at only 54 combinations and 50 characters long would take 1.6511685e+69 times the age of the universe to crack with the latest update to oclHashcat-plus so I think it would be reasonably secure from a brute force attack in the foreseeable future.
  • Hashes and quirks go back a long way.

    Under VAX / VMS if you typed 15 "V"s when changing your password then you could login with 1 or 4 "V"s. I forget which as its been too many years.
  • What I'd do:

    First, keep your computer itself secure so nobody can search your computer for passwords or install keyloggers. Once they've done that, it's game over. Don't store passwords on your computer or write them down. Nobody can remember a random 55-character password, but anybody can memorize a ten-character random string.

    After that, well, people who use easy-to-guess passwords and people dumb enough, in this day and age, to fall for scam fishing emails probably shouldn't be trusted with access to anything important.

    Businesses should send fake scam emails to all employees with access to anything important, and all who fall for the fake scam should be demoted to janitor, and only given keys to the bathrooms and broom closets.

    And of course they should never use operating systems with a long history of multiple, frequent security flaws. (And we all know which one that is.)