Estimated read time: 3-4 minutes
This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
SALT LAKE CITY — After a recent string of attacks on digital security, a Utah man has developed a new method of password cracking that he hopes will allow analysts to develop further precautions against hackers.
Josh Dustin, an information security analyst, said he and a friend were talking one day about password cracking when he had an idea — What if he could develop a way for analysts to test the strength of passwords in a way that is more targeted to their industry or company?
"The bad guys are doing that already," Dustin said. "They're going to be mining information about your company. We were trying to take that advantage they have away."
Dustin said dictionaries are usually used to crack passwords, but he started by using books, such as Shakespeare's complete works and the Bible, to try to narrow down the amount of words he was searching for. He soon realized that using books written centuries or even decades ago did not give him much of an advantage over the hackers.
"A lot of the things people use for passwords are current slang, so we thought, ‘Where can we find words and word combinations people use that don't end up getting published in books?' Wikipedia is one good source, but we thought it would be really cool if we could use Twitter."
So the two men wrote three lines of code that would find the last 500 tweets that had mentioned a supplied keyword. Dustin used the password hashes — encrypted records of a password — which had recently been released by a group of hackers after hacking militarysingles.com.
"Someone who would have an account with that website would likely use words like "military" or "navy," words relevant to their situation," Dustin said.
From their list of 10 keywords to search Twitter, they were returned with 4,400 possibilities, from which they found nearly 2,000 unique passwords. Dustin said the return on actual passwords cracked was higher, due to many people using the same password as others with an account.
We were trying to take that advantage (hackers) have away.
–Josh Dustin
He posted his method on his blog, hoping that the method would be helpful to those searching for a more effective way to test password security.
"What it really comes down to is you have hackers that are malicious who don't share how it's being done, and those of us who are trying to secure things," he said. "Disclosing this information helps us to be able to secure things better."
Things like LinkedIn, which, along with eHarmony, saw millions of passwords stolen June 6 and leaked online.
Or federal and state websites, many of which have been hacked into in recent months.
"We need to become more efficient at what we are testing," Dustin said. "Dictionaries get old. Books like "Huck Finn" don't include current slang. We have to stay current with slang and common misspellings, and find words that are relevant to our specific targets, if we want better security."
