Submitted via IRC for TheMightyBuzzard
CynoSure Prime, a "password research collective", has reversed the hashes of nearly 320 million hashed passwords provided by security researcher Troy Hunt through the Pwned Passwords searchable online database.
Their effort, pulled off with the help of two other researchers, revealed many things:
- Interesting statistics regarding these real world passwords exposed in data breaches,
- The fact that this database also contains some 2.5 million email addresses and 230,000 email/password combinations (Hunt intends to purge that data from the database), and
- Some bugs in the Hashcat password recovery tool.
"The longest password we found was 400 characters, while the shortest was only 3 characters long. About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less," the collective shared.
"Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters."
Source: https://www.helpnetsecurity.com/2017/09/05/researchers-reverse-320-million-hashed-passwords/
(Score: 3, Insightful) by stormwyrm on Wednesday September 06 2017, @02:55PM
A 400-character password though is something else. Even if it is an XKCD 936-style password, given that the average English word is five characters, that would mean it'd be made up of something like 80 words, and assuming you get words from the canonical 2048-word dictionary of common words, that still means you'd have to go through 204880 possible passwords, approximately 10264 possible passwords. Don't be too quick to scoff at XKCD 936. Simply increasing the number of words to 12 gets you 1039 possible passwords, roughly equivalent to a 132-bit cryptographic key. This is enough entropy that an intelligence agency would rather consider other methods of breaking the password than by brute force. At the same time I'd think it's not that hard to remember a dozen random words. The human mind is good at making up stories based on them. Just 25 random words gets you to 1082 possible passwords, more passwords than there are sub-atomic particles in the visible universe, and I don't think it's that much harder for a typical person to remember.
First possibility though, sounds more likely. It's probably a match to some known text. The entire text in the Library of Congress is somewhere in the 10 TB range (1013 characters). To choose a password at random this way you need to pick a starting position (1013 possibilities) and a length (400 possibilities) so there are only about 1015 possible passwords of this type, 52 bits of entropy. It's not much better than a 4-word XKCD 936 password (44 bits).
Numquam ponenda est pluralitas sine necessitate.