- Real Estate
- Paris Flash
Passwords are a pain to deal with, but they’re a necessary everyday evil. Sure, we try to circumvent their need with more convenient options, such as facial recognition and fingerprint scanners, but that sort of technology in consumer-grade electronics is still relatively in its infancy. So in the mean time, we’ll have to stick with old-fashioned passwords, but be careful. As this means of security continues to age, the tools working against it continue to improve.
ArsTechnica’s article on the technology of cracking passphrases sheds some unnerving light on the topic. “Dictionary hacks” involve the use of extensive lists of words and phrases to guess passwords. Applying certain programming rules to their routines can augment such hacks. Rules include adding letters or numbers to the beginning or ends of words, combining words together, and adding or removing spaces. Even “mangling” one’s password can’t be considered safe. Mangling involves altering the capitalization or substituting certain characters in passwords. For instance, the word “coffees” can be mangled into “coffeeS” or “c0ff33s.” It may seem like obfuscating ordinary words in this matter would be effective, but dictionary hacks can account for these types of modifications.
But eventually, these dictionaries run out of words and they must turn to other sources. Security researchers Kevin Young and Josh Dustin took to Internet sites such as Wikipedia and the Gutenberg Project, the worlds single largest collection of free eBooks, to cull word phrases that people could potentially use in their passwords.
The biggest threat to password security is human psychology and how people end up picking their passwords in the first place. There’s the idea that making a password longer makes it more secure, so people end up picking long phrases instead of single words. Such is often an effort in futility, as these phrases are usually chosen because they’re easy to remember, and that’s where their vulnerability lies. It’s only human nature to pick something familiar and convenient. For instance, even a seemingly complex phrase like “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1” can easily be overcome. Literary fans can tell from the abundance of apostrophes that this is a phrase from H.P. Lovecraft’s “The Call of Cthulhu,” which can be spotted on the story’s Wikipedia page, which dictionary hackers have already scraped for information. By gathering word phrases from these sources, crackers are training their computers to think more like humans.
Password crackers can even extrapolate predictable patterns that reveal a lot about the human mind, at least in regards to password selection. Long phrases rarely contain extra characters because they’re more difficult for humans to type. Long phrases often omit spaces for convenience, and you’ll find many passwords are either quotes from the Bible or four-lettered curse words.
Social media sites such as Facebook, Twitter and YouTube are also teeming with word phrases for crackers to mine. In one instance, crackers were able to find passwords by using a combination of leaked hashes from military dating website Militarysingles.com and Twitter searches. “On Militarysingles.com, people used passwords like ‘hooah’,” said Dustin. “That’s not a word that will be in your dictionary, but by supplying the words ‘marines’ and ‘navy,’ you’re going to end up with words like ‘hooah’ in your list. With Twitter, it lets you target specific password users.”
Even YouTube’s bottom-of-the-barrel comments prove useful for providing instances of slang and misspellings, which are likely to be incorporated into password phrases. Dustin explained, “That’s the way people do their passwords quite often. You often find a lot of slang, and a lot of that slang doesn’t end up in a dictionary or even on Wikipedia or in a book.”
And the phrase list is ever evolving. Gigabytes upon gigabytes of words and word phrases sit on Dustin’s hard drive. “The same way the GPU has jumped, we’ve jumped the whole traditional word list. So now we’ve got well over a billion phrases from Gutenberg alone. And we’ll just do a Twitter dump tomorrow and get everything that’s changed since then.”
By Alfredo Dizon, eParisExtra