Photo by Arteum.ro on Unsplash

Caution! Your Password Can Be Mine

A very short introduction to password cracking

By Felipe Ruiz | January 17, 2020

Passwords are currently the most popular authentication method in computer systems and IT, and can serve as protection of our private information in email and bank accounts, social networks, and many other apps.

If someone obtains your passwords, for example, you could lose important information or even lose a considerable amount of money. And, believe or not —while it’s true that some applications disregard security measures—, the fault is partly yours!

WTF
Figure 1. Photo by Bernard Hermant on Unsplash

Before we talk about password cracking, keep this in mind, there are some different ways to store passwords on systems:

  • The plaintext method is to store the password identically as entered.

  • The encryption method combines the password with another secret key; it’s like storing the password protected by another one.

  • The hashing method depends on a complex formula that modifies plaintext and produces a hash. Let’s talk about it.

Hashes

Let’s say that we’ve created a password for our email account, and that password is 'December' (brilliant, right?). This set of characters is our plaintext, the input for the hashing method. This method employs a cryptographic hash function —a one-way mathematical operation— and gives us a hash as an output.

But what is a hash? It’s a fixed-lenght ciphertext, and an arbitrary block of data. Look at this image:

MD5
Figure 2. Using MD5 to get a hash

And what does one-way mean? Well, you can’t easily go back to the plaintext (just reverse the formula) having only the hash.

Thus, with a specific plaintext, using a particular hash function, we get just one specific hash, not two, the same each time. Further, the same hash is never produced by two different inputs (although…​), and minimal changes in inputs generate substantial alterations in outputs.

So, for our email account employing the password 'December' the hash value is stored. When we log in again, the system will use the hash function, and the output will be compared with the stored hash value. Our authentication will be successful if those hash values are equal.

It’s in relation to those hashes that, in general terms, we describe the password cracking.

Password Cracking

Password cracking is based on the use of different techniques and tools to guess passwords. Sometimes it can be used to recover lost passwords or to test users' passwords within an organization but most commonly it can operate as an illicit activity.

In this process, employing a cracking software, we take the possible strings of characters and, with the hashing algorithm used for the password, convert them into hashes. Then we compare them with the hash that corresponds to the password.

Password cracking can be done both online and offline.

Online attacks take place with the constant protection of the system attacked, and use its login mechanisms, that’s why they’re easy to detect. After some failed attempts, the game is over for the cracker, and the account is locked up.

Offline attacks depend primarily on someone’s ability to break system security and obtain sets of hashes from databases. While there’s no active defense, attackers can try with as many passwords as they want and as long as they think necessary.

Here are some of the best-known methods:

Brute Force

Brute Force
Figure 3. Photo by Olga Guryanova on Unsplash

Brute force (BF) attack, since the early 1990s, has been an exhaustive method that takes for evaluation all possible combinations of characters that can be part of the password to be found. BF can become difficult and tedious considering the size of the search space and the time it would take the system according to its processing power.

In summary, the attacker must guide the system to a one-by-one comparison of hashes, testing millions of passwords, and that’s why this option is not the best when time is short. Although it is recognized that today’s advanced fast processors, and supplementary probability methods, give an advantage to this meticulous technique.

Dictionary

Dictionary
Figure 4. Photo by Pisit Heng on Unsplash

Dictionary attacks use prearranged wordlists with fewer words than an input space for BF attacks, which means less time spent but also the possibility of not having the password searched. Lines of characters are grabbed sequentially for subsequent processes of hashing and comparison of values. Some wordlists are available online, constructed, distributed, and updated by multiple attackers, and sometimes are adapted for specials targets.

In addition to look for whole-words in passwords, crackers also search for other patterns such as character substitutions (e.g., p@55word) and additions (e.g., PassWord123), and predictable compositions and distributions besides fashionable passwords.

Other methods

Mixing BF with the dictionary attack we would get a hybrid attack, that means, using a wordlist as a base to then take each entry and check for some possible permutations (e.g., adding prefixes or suffixes).

We can also have Rainbow tables. Instead of using words it directly employs hashes. So, the time required for computing the hash is saved, but this technique needs large storage space (although powerful compression schemes have been reported) and, besides, if you have to create the table, well, that’s a lot of time. Websites like RainbowCrack can help with some of those files.

As a next step for advancing in password cracking, and related with the computing resources, there’s the GPU-based cracking (with a performance 5-20 times that of CPU). This allows us to make massively parallel calculations, increasing significantly the speed to complete an attack.

Tools

Hoping you’re not interested in password cracking for malevolent purposes, here’s a list with some cracking software:

Check your passwords!

At Fluid Attacks we’re interested in IT security, and as Julian Arango said once:

"we know that information security is more than just focusing on software and IT infrastructure: it is about how we behave".

Hence, consider the following recommendations:

Being aware of the threat of password cracking is a good way to start to make rational decisions, and to protect your personal information. As a user, you can now be more cautious with your passwords, making them stronger, to avoid that crackers take power over them in short time and with little effort.

Specifically, try to be less predictable when choosing the elements that constitute a password. You can substitute some letters with numbers and add special characters, arbitrarily capitalize some letters, and make the words longer and random enough. Don’t reuse passwords and make them unique, change them every few months, and practice them enough to avoid problems remembering.

Don’t forget that even if you’re not a 'big fish', you’re also a potential victim, and your password can be mine!

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy