10-08-2013 01:58 PM
Early last year, password security researcher Kevin Young was hitting a brick wall. Over the previous few weeks, he made steady progress decoding cryptographically protected password data leaked from the then-recent hack of intelligence firm Stratfor. But with about 60 percent of the more than 860,000 password hashes cracked, his attempts to decipher the remaining 40 percent were failing.
The so-called dictionary attacks he mounted using lists of more than 20 million passwords culled from previous website hacks had worked well. Augmented with programming rules that substituted letters for numbers or combined two or more words in his lists, his attacks revealed Stratfor passwords such as "pinkyandthebrain," "pithecanthropus," and "moonlightshadow." Brute-force techniques trying every possible combination of letters, numbers, and special characters had also succeeded at cracking all passwords of eight or fewer characters. So the remaining 344,000 passwords, Young concluded, must be longer words or phrases few crackers had seen before.
"I was starting to run out of word lists," he recalled. "I was at a loss for words—literally."
He cracked the first 60 percent of the list using the freely available Hashcat and John the Ripper password-cracking programs, which ran the guesses through the same MD5 algorithm Stratfor and many other sites used to generate the one-way hashes. When the output of a guessed word matched one of the leaked Stratfor hashes, Young would have successfully cracked another password. (Security professionals call the technique an "offline" attack because guesses are never entered directly into a webpage.) Now, with his arsenal of dictionaries exhausted and the exponential increase in the time it would take to brute force passwords greater than eight characters, Young was at a dead end. In the passwords arms race, he was losing. Young knew he needed to compile new lists of words he never tried before. The question was where to find the words.
A long but interesting article.