Password Cracking Basics 2.0
May 12, 2014
Phoenix TS Intern
Passwords are the keys to everything we keep private. They protect bank accounts, personal info on social media, email, and even client information for businesses. Why then is there a list of the ‘100 most used passwords’?
Recent events in cyber security, namely the Heartbleed virus, brought personal (and corporate) security issues to light. Several social media sites, such as Facebook and Pinterest, encouraged password resets and related tips. What users don’t understand though, is while the software protecting them should be impermeable, they human error defeats security features with poor passwords.
How Not to Create a Password
Usually, when it comes to sensitive information, companies insist upon including “a capital letter, lower case letter, number, symbol, and it must be 8 characters long” for passwords. It might seem annoying to create (and remember), but the time necessary to crack it jumps from a fraction of a second to thousands of years (for a regular PC). Which would you prefer? In case you’re curious, test your passwords crackability.
Follow the above tips, but for the sake of security, here’s what Not to do:
- Use your personal information (name, address, phone number, birthday, SSN).
- Include your significant other’s or your family’s personal information.
- Copy the same password more than once.
- Make your username and password the same.
- Use words that can be cracked by the Dictionary Attack.
- Save your list of passwords on a computer, mobile device, or post-it note.
How easy is password cracking?
A better question would be to ask how hard it was to crack your password. As our previous blog post on password cracking demonstrated, it’s not difficult to crack a password. Since the time when the original post published, newer cracking software has come out.
Hashcat and oclHashcat
Given the award of being the “Fastest password crackers in the World”, these recovery software’s run combinator, brute-force, mask, hybrid, and dictionary attacks.
An online password cracking service for penetration testers and network auditors. This service uses dictionary attacks for a simple fee.
A brute-force password cracker for Mac OS X. It also supports dictionary and incremental attacks.
A windows password cracker based on rainbow tables. The free service comes with a Graphical User Interface and can run on multiple platforms.
The Methodology of a Hacker
Hackers use a multitude of different attacks when it comes to password cracking. Below are just a few courtesy of the HashCat Wiki.
This type of attack is very similar to the dictionary attack. The only difference is that it combines multiple words together. For instance, if the words in the dictionary were “Phoenix”, “TS”, and “123”, the results would be any combination of those three words.
Similar to a brute-force attack, but more specific. With brute force, a “mixalpha-numeric” strategy is used and finds all of the upper-case, lower-case, and numeric combinations for a given rule. This could take several years. With a mask attack, hackers understand how people make passwords saving upper-case letters for the first position in a word. Configuring the attack this way reduces the time needed for the crack.
Permutation attacks are similar to dictionary attacks. It creates combinations for a certain group of letters and symbols (ex. ABC, CBA, BAC, CAB etc.). A Hybrid attack = brute-force + dictionary. You can replace a hybrid attack with a mask attack.