An update to a free online password-cracking program just made it easier for hackers to get their hands on more complex passwords.
When you sign up for an account on a website and create a password, that information is stored in a company database as "cryptographic hashes": strings of numbers and letters that can be converted to plain-text passwords by running them through an algorithm. It's a rare hacker who can invade a company database and come out with a stash of passwords in plain text -- usually, what a hacker ends up with after pulling passwords from a database is just a bunch of complicated hashes.
Ocl-Hashcat-plus is a computer program that specializes in cracking these hashes -- but until last week, it could only turn passwords of 15 characters or less from hash to plain text. Hackers requested a version of ocl-Hashcat-plus that could crack longer passwords, and ocl-Hashcat-plus delivered.
Ars Technica reports that this newest version of ocl-Hashcat-plus can crack 55-character passwords.
In a 2012 article, Wired magazine proclaimed: "Kill The Password." "Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account," Mat Honan wrote in the Wired piece. Now, this new tool for hackers further weakens what was once considered a relatively strong defense -- unusually long passwords.
The popular web comic xkid explains why it's actually harder for programs to guess a long password made of random words (it uses the example "correcthorsebatterystaple") than it is to crack a shorter cocktail of letters, numbers and symbols (like "Tr0ub4dor&3"). The longer the password, the more work it takes to figure out -- hopefully offering an added layer of protection.
Though the new cracking tool could help some hackers, Wired details some of the simpler ways for criminals to get their hands on your info than securing stolen hashes. The easiest prey is those who use predictable words, which are just way too easy to guess. (We're looking at you, "12345" or "password" user.) Phishing emails, which trick people into entering their login on a fake site, also are a common way passwords get stolen. And since so many people use the same password or a variation of it for every account, hackers can use that one bit of information to gain access to multiple places -- from your email to your bank account.
Dan Goodin at ArsTechnica explains that one of the best things to do is make sure every password for every account is truly unique. That way, if someone does end up with a hashed copy and decodes it, they don't have the keys to the kingdom.
For now, we're stuck with keystrokes as our way to get into websites, but that may not be the case forever. Security researchers have introduced several password alternatives in recent years, from Microsoft's gesture-based "picture passwords" to cutting-edge password pills.