[OPLIN 4cast] OPLIN 4cast #357: Can words still protect us?

Editor editor at oplin.org
Wed Oct 23 10:30:14 EDT 2013 

Email not displaying correctly? View it in your browser. 
<http://www.oplin.org/4cast/>
OPLIN 4Cast

OPLIN 4cast #357: Can words still protect us?
October 16th, 2013

safeOver the past couple of months, Dan Goodin wrote two articles in 
/Ars Technica/ about password and passphrase protection that have been 
widely quoted in the tech media. (We link to the longer one of them 
below.) The articles were prompted by the release of a new version of 
Hashcat, a password cracking program that can now recover passwords up 
to 55 characters long. Because software like this keeps making password 
cracking easier, it is common to see recommendations that users instead 
use a pass/phrase/ - a long series of words that is easier to remember 
than a single complex pass/word/. But if passphrases are too easy, they 
may not be any better protection than passwords.

  * How the Bible and YouTube are fueling the next frontier of password
    cracking
    <http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/>
    (Ars Technica/Dan Goodin) "As awareness has grown about the growing
    insecurity of passwords that were presumed strong only a few years
    ago, many people have turned to passphrases, often pulled from what
    they believe are overlooked songs, books, or other sources. The idea
    is to generate a long passcode that contains upper- and lower-case
    letters and possibly punctuation that's nonetheless easy to
    remember. This turns out to be largely an exercise in futility. As
    is the case with passwords, the same thing that makes passphrases
    easy to remember makes them susceptible to easy cracking."
  * Books and Youtube are supplying password crackers with billions of
    passphrases
    <http://www.tested.com/tech/concepts/458515-books-and-youtube-are-supplying-password-crackers-billions-passphrases/>
    (Tested/Wesley Fenlon) "And now crackers have discovered that
    resources like the Bible, Wikipedia, and the Gutenberg archive
    provide millions of phrases that people may use for passwords,
    believing that they're long enough to be secure or unknown enough to
    be unguessable. 'Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl
    fhtagn1' from H.P. Lovecraft is a prime example. No computer could
    bruteforce such a complex password string, but no computer will have
    to - once that phrase is in a dictionary, it's easy to crack."
  * Is it truly, finally, sadly, game over for passwords?
    <http://www.nealofarrell.com/20130829142/cybercrime/this-week-insecurity-august-29th-2013-is-it-truly-finally-sadly-game-over-for-passwords.html>
    (Neal O'Farrell) "A passphrase should not simply be a statement or
    saying that you read somewhere or remembered from childhood. Because
    if it's been used before, chances are it's already in a dictionary
    and could be guessed. A real passphrase is supposed to be something
    about you and your life that is unlikely to be on the internet and
    guessable by a hacker. And taking it one step forward, and one very
    crucial step, you don't use the exact passphrase but only selected
    elements."
  * Password cracker cracks 55 character passwords
    <http://www.infosecurity-magazine.com/view/34207/password-cracker-cracks-55-character-passwords>
    (Infosecurity) "What the new version of hashcat demonstrates is that
    size is no longer as important as it used to be - it's what the user
    does with the characters that matters. Length is still important;
    but rather than just a combination of words or phrases, it should be
    a mix of characters, numbers and punctuation symbols."

*/Hashcat fact:/*

Hashcat <http://hashcat.net/oclhashcat-plus/> claims to be the world's 
"fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker." It's also free.
------------------------------------------------------------------------
The */OPLIN 4cast/* is a weekly compilation of recent headlines, topics, 
and trends that could impact public libraries. You can subscribe to it 
in a variety of ways, such as:

  * *RSS feed.* You can receive the OPLIN 4cast via RSS feed by
    subscribing to the following URL:
    http://www.oplin.org/4cast/index.php/?feed=rss2.
  * *Live Bookmark.* If you're using the Firefox web browser, you can go
    to the 4cast website (http://www.oplin.org/4cast/) and click on the
    orange "radio wave" icon on the right side of the address bar. In
    Internet Explorer 7, click on the same icon to view or subscribe to
    the 4cast RSS feed.
  * *E-mail.* You can have the OPLIN 4cast delivered via e-mail (a'la
    OPLINlist and OPLINtech) by subscribing to the 4cast mailing list at
    http://mail.oplin.org/mailman/listinfo/OPLIN4cast.


OPLIN 4Cast
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20131023/48c524e5/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kubrickheader.jpg
Type: image/jpeg
Size: 38379 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20131023/48c524e5/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: safe.png
Type: image/png
Size: 12610 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20131023/48c524e5/attachment-0003.png>

More information about the OPLIN4cast mailing list