Caution! Your Password Can Be MineA very short introduction to password cracking
Passwords are currently the most popular authentication method in computer systems and IT, and can serve as protection of our private information in email and bank accounts, social networks, and many other apps.
If someone obtains your passwords, for example, you could lose important information or even lose a considerable amount of money. And, believe or not —while it’s true that some applications disregard security measures—, the fault is partly yours!
Before we talk about password cracking, keep this in mind, there are some different ways to store passwords on systems:
The plaintext method is to store the password identically as entered.
The encryption method combines the password with another secret key; it’s like storing the password protected by another one.
The hashing method depends on a complex formula that modifies plaintext and produces a hash. Let’s talk about it.
Let’s say that we’ve created a password for our email account, and that password is December (brilliant, right?). This set of characters is our plaintext, the input for the hashing method. This method employs a cryptographic hash function —a one-way mathematical operation— and gives us a hash as an output.
But what is a hash? It’s a fixed-lenght ciphertext, and an arbitrary block of data. Look at this image:
And what does one-way mean? Well, you can’t easily go back to the plaintext (just reverse the formula) having only the hash.
Thus, with a specific plaintext, using a particular hash function, we get just one specific hash, not two, the same each time. Further, the same hash is never produced by two different inputs (although…), and minimal changes in inputs generate substantial alterations in outputs.
So, for our email account employing the password December the hash value is stored. When we log in again, the system will use the hash function, and the output will be compared with the stored hash value. Our authentication will be successful if those hash values are equal.
It’s in relation to those hashes that, in general terms, we describe the password cracking.
Password cracking is based on the use of different techniques and tools to guess passwords. Sometimes it can be used to recover lost passwords or to test users' passwords within an organization but most commonly it can operate as an illicit activity.
In this process, employing a cracking software, we take the possible strings of characters and, with the hashing algorithm used for the password, convert them into hashes. Then we compare them with the hash that corresponds to the password.
Password cracking can be done both online and offline.
Online attacks take place with the constant protection of the system attacked, and use its login mechanisms, that’s why they’re easy to detect. After some failed attempts, the game is over for the cracker, and the account is locked up.
Offline attacks depend primarily on someone’s ability to break system security and obtain sets of hashes from databases. While there’s no active defense, attackers can try with as many passwords as they want and as long as they think necessary.
Here are some of the best-known methods:
Brute force (BF) attack, since the early 1990s, has been an exhaustive method that takes for evaluation all possible combinations of characters that can be part of the password to be found. BF can become difficult and tedious considering the size of the search space and the time it would take the system according to its processing power.
In summary, the attacker must guide the system to a one-by-one comparison of hashes, testing millions of passwords, and that’s why this option is not the best when time is short. Although it is recognized that today’s advanced fast processors, and supplementary probability methods, give an advantage to this meticulous technique.
Dictionary attacks use prearranged wordlists with fewer words than an input space for BF attacks, which means less time spent but also the possibility of not having the password searched. Lines of characters are grabbed sequentially for subsequent processes of hashing and comparison of values. Some wordlists are available online, constructed, distributed, and updated by multiple attackers, and sometimes are adapted for specials targets.
In addition to look for whole-words in passwords, crackers also search for other patterns such as character substitutions (e.g., p@55word) and additions (e.g., PassWord123), and predictable compositions and distributions besides fashionable passwords.
Mixing BF with the dictionary attack we would get a hybrid attack, that means, using a wordlist as a base to then take each entry and check for some possible permutations (e.g., adding prefixes or suffixes).
We can also have Rainbow tables. Instead of using words it directly employs hashes. So, the time required for computing the hash is saved, but this technique needs large storage space (although powerful compression schemes have been reported) and, besides, if you have to create the table, well, that’s a lot of time. Websites like RainbowCrack can help with some of those files.
As a next step for advancing in password cracking, and related with the computing resources, there’s the GPU-based cracking (with a performance 5-20 times that of CPU). This allows us to make massively parallel calculations, increasing significantly the speed to complete an attack.
Check your passwords!
At Fluid Attacks we’re interested in IT security, and as Julian Arango said once:
Hence, consider the following recommendations:
Being aware of the threat of password cracking is a good way to start to make rational decisions, and to protect your personal information. As a user, you can now be more cautious with your passwords, making them stronger, to avoid that crackers take power over them in short time and with little effort.
Specifically, try to be less predictable when choosing the elements that constitute a password. You can substitute some letters with numbers and add special characters, arbitrarily capitalize some letters, and make the words longer and random enough. Don’t reuse passwords and make them unique, change them every few months, and practice them enough to avoid problems remembering.
Don’t forget that even if you’re not a big fish, you’re also a potential victim, and your password can be mine!