No password is safe from the new breed of cracking software
Chances are you need to change your password. No matter how long it is.
Over the weekend, the free password cracking and recovery tool oclHashcat-plus released a new version, 0.15, that can handle passwords up to 55 characters. It works by guessing a lot of common letter combinations. A lot. Really really fast.
Other long-string password-crackers exist, such as Hashcat and oclHashcat-lite, though they take a great deal more time to cycle through. This improvement runs at 8 million guesses per second while also allowing users to cut down the number of guesses required by shaping their attacks based on the password-construction protocol followed by a company or group.
A combination of increasing awareness of official scrutiny, such as the NSA leaks, growing instances of hacking of all kinds and leaked password lists, has inspired users to radically lengthen their passwords and use passphrases instead.
As Dan Goodin noted in Ars Technica, “Crackers have responded by expanding the dictionaries they maintain to include phrases and word combinations found in the Bible, common literature, and in online discussions.”
One security researcher cracked the passphrase "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1," a phrase from an H.P. Lovecraft horror story. It was less impossible than it was super easy, crackable in minutes, because it was in an easily available hacker word list.
The release notes state that the ability to target increased character counts was their most requested change in a development process which took the team six months, who modified 618,473 lines of source code, more than half the code in the product.