Hoohah, Cracking Your Passwords Has Never Been Easier

Screen Shot 2013-11-29 at 10.03.30 AMArs Technica recently detailed the methods used by researchers for cracking passwords, easier than you might think.

Ars’ IT security editor, Dan Goodwin, spoke to password security researcher Kevin Young, who last year worked on decoding cryptographically protected password data leaked after attacks on the intelligence firm Sratfor. Young was able to crack about 60% of the password hashes before literally running out of words.

Fellow researcher, Josh Dustin, teamed up with Young, and as their sources expanded they also realized it was a mistake to use techniques that made sense to computers and not humans. After trying longer strings of words found online—isolating select phrases and inputting them into their password crackers—the previously uncracked leaks and hashes from Sratfor revealed themselves.

Ars Technica also explains why passphrases and mangling are pointless when it comes to securing your passwords. One security researcher, Yiannis Chrysanthou, was able to crack the passphrase, “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1″. While certainly stronger than shorter, all lowercase passphrases, this fictional occult phrase comes from a short story by H. P. Lovecraft called, “The Call of Cthulhu,“ and is found on Wikipedia. Hence the utility of thinking like a human.

What began with Wikipedia and the first 15,000 works of Project Gutenberg has expanded to larger phrase pools including Facebook, Twitter, Youtube, movie scripts, song lyrics and e-books. Youtube comments, for example, reveal slang and misspellings not found on Wikipedia or in a book. Young was able to crack “yournevergoingtogetmyfuckingpassword” even though “your” in this case is incorrect.

In addition to literary and biblical quotes, obscenities are popular password choices. Other phrases Chrysanthous has cracked include:

youcantguessthis password1980
thatswhatshesaid123
neverpromiseanythingagain1
thisisnotyourpassword
thisisthebestpasswordever
canyouguessmypassword
thepasswordispassword

 

 

 

 

Related Stories
Mediabistro Course

Social Media Metrics

Social Media MetricsStarting September 4, work with a social media manager to monitor, measure and optimize your social media efforts! Danielle Brigida will teach your how to sift through web analytics, Facebook Insights, and Twitter mentions to develop a comprehensive reporting and tracking system for your brand. Register now!