Ars Technica recently detailed the methods used by researchers for cracking passwords, easier than you might think.
Ars’ IT security editor, Dan Goodwin, spoke to password security researcher Kevin Young, who last year worked on decoding cryptographically protected password data leaked after attacks on the intelligence firm Sratfor. Young was able to crack about 60% of the password hashes before literally running out of words.
Fellow researcher, Josh Dustin, teamed up with Young, and as their sources expanded they also realized it was a mistake to use techniques that made sense to computers and not humans. After trying longer strings of words found online—isolating select phrases and inputting them into their password crackers—the previously uncracked leaks and hashes from Sratfor revealed themselves.
Ars Technica also explains why passphrases and mangling are pointless when it comes to securing your passwords. One security researcher, Yiannis Chrysanthou, was able to crack the passphrase, “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1”. While certainly stronger than shorter, all lowercase passphrases, this fictional occult phrase comes from a short story by H. P. Lovecraft called, “The Call of Cthulhu,” and is found on Wikipedia. Hence the utility of thinking like a human.
What began with Wikipedia and the first 15,000 works of Project Gutenberg has expanded to larger phrase pools including Facebook, Twitter, Youtube, movie scripts, song lyrics and e-books. Youtube comments, for example, reveal slang and misspellings not found on Wikipedia or in a book. Young was able to crack “yournevergoingtogetmyfuckingpassword” even though “your” in this case is incorrect.
In addition to literary and biblical quotes, obscenities are popular password choices. Other phrases Chrysanthous has cracked include: