In the vexing pursuit of passwords that are both easy to remember and hard to crack, many people embed clues into their login credentials, choosing for instance, "playstationplaystationdec2014" to safeguard a recently created gaming account or "[email protected] w0rk!" for an IT administrative account at a financial services company. Now, a whitehat hacker is capitalizing on the habit with a tool that automates the process of launching highly targeted cracking attacks.
Dubbed WordHound, the freely available tool scours press releases, white papers, and Twitter accounts belonging to companies or sites that have recently suffered security breaches. The software then generates a list of commonly found words or phrases that attackers can use when trying to convert cryptographic hashes from compromised password databases into the corresponding plaintext passcodes. The tool, devised by security consultant Matthew Marx, was unveiled Wednesday at Passwords 14 conference in Las Vegas.
"People are influenced greatly by their environment when choosing a password," Marx, who works for consultancy MWR Info Security, told Ars. "It could be a work environment, their personal life, or the sport teams they like. I wanted to create a tool that leveraged this human vulnerability."