Yiannis Chrysanthou, a security researcher who recently completed his MSc thesis on modern password cracking, was able to crack the password "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1." That's the fictional occult phrase from the H.P. Lovecraft short story The Call of Cthulhu. It would have been impossible to use a brute-force attack or even a combined dictionary to crack a phrase of that length. But because the phrase was contained in this Wikipedia article, it wound up in a word list that allowed Chrysannthou to crack the phrase in a matter of minutes.However, PC World's report should quell some fears:
Until now, hackers and security consultants who cracked such words had to use software controlling the central processing unit of their computer or that used one or more graphics cards to crack a single hash. This weekend's update means that for the first time, Hashcat users can achieve speeds as high as eight billion guesses per second on a virtually unlimited number of compromised hashes. Breaking the 15-character limit is just one of several improvements designed to bring increased speed and precision to the password cracking program.
The tool shatters encryption with (relative) ease, but your hashed passwords need to be leaked from a compromised website before would-be hackers can get to crackin'.So, here's to hoping that there are some diligent website operators who keep their host servers secure. To be fair and clear, this does not mean that a would-be password cracker can point the tool at a website and have it just sit there until it ultimately guesses login credentials. The website itself would have to be compromised first.