During the past half-decade, three factors have fueled a renaissance in password cracking. While password-recovery programs have gained immense computational power by offloading the intensive calculations of dictionary-based and brute-force guessing to off-the-shelf graphics processors, users continue to use the same mnemonics to create passwords that seem secure while being easily memorized. Yet the insecurity of websites — from LinkedIn to Stratfor and from RockYou to Sony — has given researchers real-world lists of millions of hashes from which to uncover the systems that people use to create their passwords.
The result is that, at the same time that the power of cracking programs has skyrocketed, researchers are smarter at guessing the ways that users might create passwords, whittling down the lists of possible passwords. By creating better word lists and more intelligent methods of mangling real words and phrases, hackers and researchers can make an untenable computational problem much more feasible, said Olga Koksharova, spokeswoman for password-recovery firm ElcomSoft, in an e-mail interview.