Think Your Passwords are Secure? Think Again...

One of the cornerstones of a data security system is the humble password. We use passwords in combination with usernames or ID numbers in virtually every electronic application we encounter, from email to banking to online photo albums. The ubiquity of passwords has made them a powerful tool in the data security arsenal. However, that ubiquity also makes passwords a favorite target for hackers.


Password cracking is becoming easier and more popular every day. “Script kiddies,” hackers with low technical proficiency, can simply download programs that almost completely automate the password cracking process. These cracking programs are under constant development and gain frightening new abilities all the time. In a recent update, for example, the popular free cracking program ocl-Hashcat-plus can now crack passwords that are up to 55 characters long - far longer than most users ever implement themselves.

To understand the impact of this news, it helps to know a bit about password cracking itself. Ocl-Hashcat-plus is an example of a dictionary cracker, or a program that automates the cracking of passwords through the use of a “dictionary” of common password phrases and combinations.

To use these programs, a cracker must have three things: the program itself, a dictionary list of common password phrases, and a list of “hashes” to compare the dictionary to. Hashes are passwords in their encrypted form, usually stolen from a large company in an intrusion into their system. Long lists of hashes are easily available online for those who know where to look for them.

The cracking program then uses a system of rules and procedures to compare the hashes to the dictionary lists. Advanced cracking program procedures can automatically add numbers to dictionary words, substitute numbers and letters, apply common misspellings, and more. Once the program matches a hash to plaintext, it saves the deciphered password for later use, allowing hackers to compromise the accounts tied to the passwords at their leisure.

The latest update to ocl-Hashcat-plus allows it to make up to eight billion guesses per second on passwords up to 55 characters long, a huge improvement over the previous iterations of the software. According to this arsTechnica article, the program was able to crack the password “thereisnofatebutwhatwemake” using the new update, and even managed to decipher the absurd password "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1," a phrase from the H.P. Lovecraft story The Call of Cthulu.

Why should you be concerned about this news? Well, if you're like most Internet users, you don't have a separate password for every single website or security login you use. Rather, you probably have one or two passwords - or subtle variations on those one or two passwords - that you use in multiple places.

The problem with this is that if a hacker should gain access to any one of the databases that stores your password, even in encrypted form, there is a very strong possibility that they will crack that password and be able to gain access to all of your personal or business data. If your passwords are compromised, almost nothing is safe.

Fortunately, there are a few strategies you can use to keep yourself safer in the face of these attacks. First off, never use common words, phrases, or quotes as a password. If your password can be found in a dictionary, Wikipedia article, or Google search, it's probably already on a dictionary list somewhere, waiting for your hashes to pop up. A better strategy is to use random combinations of unrelated words, as this popular webcomic demonstrates.

Also, you should try to never use the same password across different sites. We know, it's tough to remember them all. But by using different passwords, you confound the efforts of hackers to gain access to your identity across the web. It's a simple measure, but it's remarkably effective.

Another thing you can do is add additional layers of security to your systems. Many email and banking clients now support two-step verification, where the service will send you a text message or call your phone to verify your identity. And for sensitive business data like credit card numbers or personal info, you can actually remove that data from your system entirely using tokenization. That way, if a hacker does get access to your system, they still can't get to any useful information.

Of course, the best defence of all against hacking is simply vigilance. Change your passwords regularly (every few months or so works for most people) and never write them out in plaintext, either on paper, in an email, or in a text document. Being careful is always the best way to keep yourself, and your data, safe and sound.

Topic(s): data security , tokenization