Effect of Grammar on Security of Long Passwords
#1
(01-11-2013, 02:07 PM)atom Wrote: This topic seems to be really important for you.

Respectfully, it is pretty important for WPA work. Things like Diceware have been around for a long time but people are starting to realize that there is a certain measure of security to be gained simply by bigger-is-better. And with WPA/WPA2 already forcing you to use at least eight, even the most security-blind users are already past the half way point on password length limitations.

A paper from Carnegie Mellon was released recently on the trend towards long passwords. Hashcat gets mention in the paper:
Effect of Grammar on Security of Long Passwords

Although they don't mention (unless I missed it) that Hashcat has a length limitation, a number of their tests start at 16 character-length passwords and go up. The paper is not focused on WPA but they've done some interesting research into how people choose passphrases and reinforces the idea that password length is important. Worth a read.
#2
They tested Hashcat CPU and does not have that limit?
#3
why are you cross-posting? this is the same comment you left on another thread.
#4
I removed it from there and split it to here because it didnt fit in the other thread
#5
oh, ok.
#6
Thank you atom. I wasn't trying to bump that old thread back up, it's just that it laid fallow for a couple days before I read it. I thought this paper might be appropriate to the discussion but I'm happy to have it posted wherever you like. Thank you for not deleting it!

I don't know which of your tools Ashwini tested with. I believe when she was referring to "Hashcat" she was probably talking about the entire suite of tools. It's not clear from the paper what results they got with anything other than JTR. No mention of a length limitation was made and I didn't even see any mention of the hash type so they may have simply done simple MD5 tests to come to their research conclusions. They may also have just stuck with CPU tests rather than GPU because they didn't actually need to break the passphrases, they just needed to understand how one MIGHT go about trying.

As I said, the paper certainly wasn't just about length (in one spot they point out that longer is NOT always better) it was more about the structure of long passwords. Kind of drawing the correlation to words that Markov chains have to characters.

Anyway, food for thought....

Thanks.
#7
In the abstract they write:
"We show that using a better dictionary e.g. Google Web Corpus, we can crack more long passwords than previously shown (20.5% vs. 6%)."

The discuss methods using corpus linguistic tools, much like I wrote about when I first joined the Hashcat forums.