The latest version of hashcat, oclHashcat-plus v0.15, was released over the weekend. It is, says lead developer Jens Steube under the handle Atom, “the result of over 6 months of work, having modified 618,473 total lines of source code.”
Hashcat is a freely available password cracker. It is clearly a dual-purpose weapon: it can be used by security auditors to stress-test company passwords, and it can be used by criminals to crack lists of stolen passwords. One of its biggest weaknesses had been an inability to handle passwords in excess of 15 characters: until now – the new version can handle passwords and phrases typically up to 55 characters in length.
“This was by far one of the most requested features”, notes Steube. “We resisted adding this ‘feature’, as it would force us to remove several optimizations, resulting in a decrease in performance for the fast hashes.” So the new version also comes with a downside – a performance hit that “typically averages around 15%.”
In reality, this probably won’t worry its users too much. It is an off-line cracker, which means it cracks lists of passwords. For security administrators and auditors, these lists will be taken from the company servers. For criminals – whether they are the original hackers or just script kiddies downloading online hacking dumps – they come from stolen passwords.
Robin Wood, a whitehat freelance auditor and researcher, explained how he uses hashcat for good purposes. “One of my main uses for it is to show clients if their password complexity policies are working”, he told Infosecurity. “If I get a set of hashes from a windows domain I'll crack as many as I can and then analyze the results looking for patterns, lengths, recurring words etc.” Wood is the developer of Pipal, which is used by many security researchers to analyze passwords.
A blackhat will use hashcat in a similar manner. He will either have stolen the passwords or have got them from the original hacker. He will use hashcat in a similar fashion against the list of passwords, but will then use the cracked passwords to access the users’ accounts – or sell the cracked passwords to other criminals to use as they will.
What the new version of hashcat demonstrates is that size is no longer as important as it used to be – it’s what the user does with the characters that matters. Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols. Ars Technica illustrates the problem: Yiannis Chrysanthou cracked ‘Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1’, an occult phrase from an HP Lovecraft story. “But because the phrase was contained in this Wikipedia article, it wound up in a word list that allowed Chrysanthou to crack the phrase in a matter of minutes”, warns Ars.
Users should consider the use of a password manager, such as Keepass, to generate strong passwords that won’t be found in dictionaries. And of course, they should use a unique password for each different online account – that way even if it is stolen by a hacker and cracked by hashcat, it will at least be only one account that is compromised.