Not even long passwords will save you from a hack attack

Long passwords alone just won't cut it in now that the latest Hashcat update can crack 55 character passwords in short order

Passwords with dozens of characters are supposed to be a natural defense against hackers, because they're that much harder to crack compared to short passwords. But not anymore.

As Ars Technica reports, the speedy password-cracking software ocl-Hashcat-plus can now crack passwords with around 55 characters, an increase from 15-character support in the previous version. Jens Steube, Hashcat's lead developer, said in the software's release notes that support for longer passwords was "by far one of the most requested features."

Because some web services are more lax about security than others, and because no site is ever completely hack-proof, you can't really expect passwords to stay secure forever. Still, most reputable sites will "hash and salt" users' passwords, essentially using cryptography and adding other unique information to each individual password. This makes it harder for hackers to discover the actual passwords after stealing them, but with the help of cracking software, hackers can still make lots of rapid fire guesses to eventually figure out people's hashed passwords. (Hashcat, for instance, can make 8 billion guesses per second.)

With cracking software, weak passwords are the first ones to go, because they're easily guessed by the software's algorithms. A strong password amounts to a last line of defense, and long passwords had proven particularly tough to guess.

But as Hashcat proves, it's not as difficult to figure out lengthy passwords as it used to be. To crack longer passwords, crackers are adding bible passages, book quotes and even online discussions to their dictionaries, increasing the odds of finding passwords based on common phrases.

Protect yourself!

Fortunately, it's relatively easy to minimize the potential damage wrought by password crackers like Hashcat. The tool shatters encryption with (relative) ease, but your hashed passwords need to be leaked from a compromised website before would-be hackers can get to crackin'.

So consider this your routine reminder not to use the same password on every site, no matter how long or complicated it is. PCWorld's Alex Wawro has a stellar guide on creating sturdy, crack-resistant passwords with minimal hassle, or you can use password management programs like KeePass or LastPass. Beyond mere passwords, set up two-factor authentication on your most sensitive accounts. And for goodness sakes, don't be one of those people who uses "password" or "123456."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags passwords

More about Jens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jared Newman

Latest Videos

More videos

Blog Posts