Passwords with dozens of characters are supposed to be a natural defense against hackers, because they're that much harder to crack compared to short passwords. But not anymore.
As Ars Technica reports, the speedy password-cracking software ocl-Hashcat-plus can now crack passwords with around 55 characters, an increase from 15-character support in the previous version. Jens Steube, Hashcat's lead developer, said in the software's release notes that support for longer passwords was “by far one of the most requested features.”
Because some web services are more lax about security than others, and because no site is ever completely hack-proof, you can't really expect passwords to stay secure forever. Still, most reputable sites will “hash and salt” users' passwords, essentially using cryptography and adding other unique information to each individual password. This makes it harder for hackers to discover the actual passwords after stealing them, but with the help of cracking software, hackers can still make lots of rapid fire guesses to eventually figure out people's hashed passwords. (Hashcat, for instance, can make 8 billion guesses per second.)
With cracking software, weak passwords are the first ones to go, because they're easily guessed by the software's algorithms. A strong password amounts to a last line of defense, and long passwords had proven particularly tough to guess.
But as Hashcat proves, it's not as difficult to figure out lengthy passwords as it used to be. To crack longer passwords, crackers are adding bible passages, book quotes and even online discussions to their dictionaries, increasing the odds of finding passwords based on common phrases.
Fortunately, it's relatively easy to minimize the potential damage wrought by password crackers like Hashcat. The tool shatters encryption with (relative) ease, but your hashed passwords need to be leaked from a compromised website before would-be hackers can get to crackin'.
So consider this your routine reminder not to use the same password on every site, no matter how long or complicated it is. PCWorld's Alex Wawro has a stellar guide on creating sturdy, crack-resistant passwords with minimal hassle, or you can use password management programs like KeePass or LastPass. Beyond mere passwords, set up two-factor authentication on your most sensitive accounts. And for goodness sakes, don't be one of those people who uses “password” or “123456.”