Nothing, it seems, can guarantee a password is uncrackable these days. In fact, now even the word of God is working against us. More specifically, the Bible, which some hackers have turned to as a source of phrases used as long, seemingly secure passwords. Turns out they're not so secure after all.
In a feature titled "How the Bible and Youtube are fueling the next frontier of password cracking," Ars Technica writes that hackers are now turning to vast resources of phrases to crack passwords that were previously untouchable by password dictionaries. And those dictionaries are already quite powerful, these days. They can contain up to a billion entries consisting of real words, popular combinations, and millions of passwords gathered from compromised websites.
Cracking augmentation software is also sophisticated enough to use these dictionaries in various combinations. Augmentation software will modify dictionary entries by removing spaces from words, replacing letters for numbers, and appending random digits to words.
Ars writes "One such rule, known as a 'combinator' attack, runs two or more words together and either strips out all the spaces or leaves them intact. Other 'mangling' and 'hybrid' rules account for variations in capitalization, character substitutions, and other tweaks. As a result, cracking programs not only try the word 'house' as included in a cracking dictionary, but also 'House,' 'housE,' 'hou$e,' and 'house1997.' With each successful match, crackers gain increasing insight into the words people pick to secure their digital assets. In that way, the collective corpus of passwords grows larger each day."
And now crackers have discovered that resources like the Bible, Wikipedia, and the Gutenberg archive provide millions of phrases that people may use for passwords, believing that they're long enough to be secure or unknown enough to be unguessable. "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1" from H.P. Lovecraft is a prime example. No computer could bruteforce such a complex password string, but no computer will have to--once that phrase is in a dictionary, it's easy to crack.
Wikipedia and books provide a limitless supply of lengthy phrases. Youtube and social media, meanwhile, provide slang and popular phrases. Ultimately, the biggest risk to password security is human psychology. We use passwords or passphrases that we can remember, and the more memorable it is, the easier it's going to be to crack. Ars Technica has some great quotes from white hat hackers in the full feature, and their efforts prove how quickly passphrase cracking is advancing. And, as these guys point out, they're working with simple hardware--basic desktop computers with 1TB hard drives.
To quote one of the white hats Ars spoke with: " 'I live in Utah, and from the break room window I can see the NSA facility,' [security researcher Kevin] Young said. Then, referring to his 1TB disk filled with phrases from all over the Internet, he added: 'That's probably nothing compared to what those guys have.' "