The prevailing wisdom is that longer, more complex passwords and passphrases are more difficult to crack and are more secure for users. While complex passwords and passphrases are still a better approach than simple words and short passwords, new technology out this week will now make it faster to crack longer, complex passwords.
The oclHashcat-plus v.0.15 release now provides security researchers with the ability to crack passwords that are longer than 15 characters. According to the release notes, the new maximum length for password cracking is 55 characters.
Hashcat is a project that builds “password recovery” tools for researchers. The core Hashcat application is CPU-based as opposed to ocl-Hashcat-plus, which leverages the enhanced number-crunching power of a GPU. The GPU-infused power is the catch with oclHashcat-plus and is significantly faster than CPU-based approaches. Why the 15 character expansion is important is because it will potentially enable the cracking of phrases as well as long passwords.
Hashcat developers note that the new 0.15 release involved the modification of 618,473 lines of source code, which took more than six months of work. In addition to the longer password length, the new update now also supports a number of new algorithms including: TrueCrypt 5.0+
1Password, Lastpass, OpenLDAP {SSHA512}, MacOSX v10.8 Microsoft SQL Server 2012 and Samsung Android Password/PIN.
At the recent DEF CON security conference, there was a contest that I wrote about that was specifically all about seeing how researchers go about cracking passwords. As it turns out, the hashcat developers specifically credit the “Crack Me If You Can” contest organized by security vendor KoreLogic as well as the Positive Hack Days (PHD) Hashrunner contest.
“These contests give us a good view on what a typical pentester/IT-forensic needs and shows a direction to go,” the oclHashcat-plus v.0.15 release states.
From my point of view, the emergence of oclHashcat-plus v.0.15 just means it is now that much harder to create a truly secure password. It should also serve as a reminder that the password should never be the only line of defense for technology infrastructure, but rather should be part of a layered approach, including multiple forms of authentication to help mitigate risk. Event auditing and logging is also critical in the modern IT infrastructure. That way, you know when you’ve been breached so you can rapidly change your (long or short) password.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.