in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Password Security: Hashcat Can Crack 55 Character Passwords

Wired is reporting that the password cracking program "ocl-Hashcat-plus" is now able to crack passwords up to 55 characters long.  The importance of strong, unique passwords is not lost on people who use managed laptop disk encryption like AlertBoot FDE.  However, at some point, one has to wonder whether lengthier passwords are the answer to data security.

8 Billion Guesses per Second

Prior to the latest release, the password cracking program "ocl-Hashcat-plus" (Hashcat) had a limit on passwords it could guess.  According to the creators of the program, a 15character limit was placed on purpose, as increasing the character count would "[result] in a decrease in performance."

However,  the demand for cracking longer passwords finally won over.  The improvement depends on the hash algorithm that's being targeted, but "the maximum can grow as high as 64 characters or as low as 24," according to wired.com.  (This does not imply that passwords shorter than 24 characters are somehow more secure.  There are other password cracking software other than Hashcat, after all.)

It is further being reported that Hashcat can achieve password cracking speeds of eight billion guesses per second.  How much damage can the software deliver?
ocl-Hashcat-plus targets a much wider number of popular cryptographic products and applications, including TrueCrypt 5.0 and beyond, 1Password, Lastpass, the SHA256 algorithm in the Unix operating system, and hashing operations found in the latest version of Apple's OS X operating system.
Yikes.  As another metric, wired.com is reporting that the 14.3 million passwords that were leaked in the RockYou list can be cracked in 65 seconds.

Time to Salt Your Own Passwords?

A couple of passwords that were cracked using the newly released Hashcat are "thereisnofatebutwhatwemake" and "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1," which come from a H.P. Lovecraft story (well, that and the number 1.  I guess someone's password policies required the use of letters and numbers).

Now, it could be that these two passwords were not "salted" and thus were "easy" to crack.  However, when you consider that Hashcat can go through 8 billion passwords per second, and are less than 55 characters long, it stands to reason that they could have fallen regardless of salting – especially if the same salt is applied to all passwords stored by a company.

If the above two passwords cannot stand... aren't we all doomed?  The only sensible answer is to start using passwords that are even longer than 55 characters.  Good luck remembering that...

A simple remedy may lie in the use of salts, though: You start salting your passwords yourself.  For example, why create a new password that is longer than 55 characters when you can take your old one and stretch it out?

Take "thereisnofatebutwhatwemake" as an example.  If you decide your salt is "firefly," then the password could now be "therefireflyisfireflynofireflyfatefireflybutfireflywhatfireflywefireflymake" which is 75 characters long and as easy to remember as the old password, if a bit unwieldy.

The problem?  At some point, passwords are going to become too long for humans to use.  It's the reason why AES-256 encryption keys are not chose by people; instead, they're randomly generated by computers.
Related Articles and Sites:
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
 
<Previous Next>

PHI Encryption Software: Advocate Medical Group Data Breach Affects 4 Million

Dentist Encryption: Olson & White Orthodontics Reports 10,000 Affected By Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.