Password breaker successfully tackles 55 character sequences

In a time where businesses and individuals are using longer passwords to protect their accounts, we're reminded how quickly cybercrime is evolving.
Written by Charlie Osborne, Contributing Writer

Choosing a difficult password might not be enough to protect our accounts in the future.

We are admittedly often lax when it comes to choosing difficult-to-guess passwords, and we forget to change them on a regular basis. Rather than trying to remember complex sets of words and numbers, a worryingly high number of us use very simple phrases to protect accounts ranging from email to social media and those used to access corporate systems.

In a survey last year, security software developer Splashdata found that the most common passwords used in 2012 included "qwerty," "12345678" and "Password1" -- phrases that wouldn't require a code breaker to guess. However, thanks to the updated password cracker ocl-Hashcat-plus, even more complex combinations are unlikely to protect targeted data.

As reported by Ars Technica, the easily available password breaker ocl-Hashcat-plus has received a series of improvements which allow it to accommodate passwords of up to 55 characters.

The ocl-Hashcat-plus version of the password cracker has previously been limited to solving sequences of up to 15 characters. This quicker variation of Hashcat and Hashcat-lite, released over the weekend, has the potential to crack passwords of up to 64 characters -- depending on the hash being targeted.

In the release notes, lead Hashcat developer Jens Steube said that support for passwords longer than 15 characters was "by far one of the most requested features" in the update.

"We resisted adding this "feature," as it would force us to remove several optimizations, resulting in a decrease in performance for the fast hashes," Steube writes. "The actual performance loss depends on several factors (GPU, attack mode, etc), but typically averages around 15 percent."

After modifying 618,473 total lines of source code over six months, the new version is able to conduct eight billion guesses per second on a high number of hashes, and attacks can be tailored depending on which firm has been targeted. Named the Password Analysis and Cracking Kit (PACK), this update optimizes the password cracking process, rather than breaks sequences itself.

The update also supports a number of new algorithms, including targets TrueCrypt 5.0, 1Password, Lastpass, MacOSX v10.8, Microsoft SQL Server 2012 and Samsung Android Password.

Perhaps eventually the only solution to password theft will be to go back to the physical realm for security. Google is one such company looking at new ways to scupper hacker efforts by developing password-replacing jewellery that would open your account through a system of authentication potentially more difficult to breach.

Editorial standards