Forensic Software Company Gives Personalized Password Cracking Tips

Elcomsoft, seller of forensic tools for law enforcement to extract data from user devices like phones and computers, has released a blog post on using information collected about individuals to make password cracking more efficient.

I’ve written extensively about the many problems with passwords, and this blog post only confirms what I’ve said before.

According to them, “almost every password-creation study shows that personal details frequently end up inside passwords.”

Since police typically know quite a bit of personal information about suspects, and they can gather even more from online sources like social media profiles, they can use this data to personalize the password cracking attempts for each specific person.

Before, the advice was vague. But the post details highly specific advice on how to structure the dictionary attack for the best results.

You can scream all day for people to use random, diceware passwords for their local encrypted drives, but in the end passwords incentivize laziness so people will almost always choose terrible passwords. A proper solution needs to enforce randomness and avoid the possibility of human error.

Unfortunately, though, we’re still stuck with them for now. So always use a completely random diceware password for local passwords on your encrypted devices and drives, and try to use passkeys for all your online accounts.