So, how does password cracking work?
When you enter your original plaintext password into any application, a computer algorithm scrambles it into a unique string of randomised characters and numbers,known as a hash. This is designed to give you better security, but bad actors can still breach the application to uncover password hashes, and crack the original password. Here’s a simple diagram of how a password is hashed using the common (but thankfully almost obsolete – for reasons that will become apparent) hashing algorithm, MD5.
You can see the original plaintext password on the left and how MD5 scrambles this into a hash on the right. You’ll immediately notice that even though the yellow and green plaintext passwords only differ by one character (an exclamation mark), the hash string is completely different. This makes it incredibly difficult for a human to guess the original password.
How is a hash uncovered?
While all password hashes may appear unique, there’s one crucial flaw in their design. They’re considered a 1:1 process, meaning you’ll always return the same hash string for the same password. So in our example, ‘Password1’ will always resolve to the hash shown in yellow. If a bad actor targets the algorithm itself – like MD5 – they can find the password hashes and work backwards.
How is a hash converted into a plaintext password?
A password hash is an irreversible process – you can’t simply unscramble the characters. But if you know the hashing algorithm used, you can obtain hashes and try character combinations against them to crack the original plaintext password, or convert known passwords into hash strings. Bad actors use powerful computers equipped with high-end graphics cards – capable of performing thousands of calculations per second – to speed up this process. Here are just a few password cracking techniques hackers use.
-
Wordlists
This is the most widely-used technique, involving lists of common passwords or words associated with the target. These could include their company name, location, family members, pets or important dates. Once the attacker has built a list of words, they feed it into a password recovery tool, like Hashcat. This converts the plaintext passwords into hashes (much like our MD5 example), which can then be compared to the target hash. Whatever tool is used to hash passwords, the same plaintext string put through the algorithm will result in the same hash. Attackers favour this method for evaluating large sets of stolen hashes at once. And by using pre-configured wordlists, they’re more likely to obtain common passwords at a much quicker rate than by using other methods. However, an attacker will only be able to crack the passwords which exist in their wordlist. Rulesets can be used to speed up and simplify the password cracking process even more. This involves ‘mutating’ the passwords to check for common traits, like substituting characters for numbers (such as ‘O’ for ‘0’), adding symbols (such as ‘!’ at the end of a password) and using repetition (repeated characters or words). For example, in a wordlist that features the word ‘Apple’, a ruleset could be applied to try variations of the same word:a. Apple123!
b. AppleApple
c. Appl3 - Brute-force
This technique involves attempting every possible combination of characters, numbers, and symbols up to a specified character length. For example, if an attacker wanted to crack all hashes that used a password of four characters, the hacker could use an algorithm to go through the entire alphabet: aaaa, aaab, aaac etc. Hackers can go a step further than this, though. By checking the application’s password policy, they can determine the minimum length of a given password, and whether any numbers or special characters are needed. They can then feed this into their password cracking tool to try these in different combinations with more efficiency, ultimately reducing the time needed to crack the hash of any given password. Due to the sheer amount of time and computer power needed for this method, it’s not as frequently used as others. Because of this, bad actors typically use brute-force as part of a focused attack, or against a specific user or account.
- Rainbow tables
Rainbow tables are lists of known passwords and their corresponding hashes, allowing an attacker to quickly compare them without having to calculate them. Although it’s a quick and easy way to crack a password, tighter security controls in applications mean rainbow tables are becoming less practical. Password salting adds a unique string or ‘salt’ to each password before it’s hashed. This adds complexity by lengthening the hash and making it unpredictable, so it’s significantly more difficult to crack. It also makes the password less likely to appear in a wordlist or rainbow table, meaning an attacker would need even more time to brute-force the password.
How fast can a password be cracked?
According to Tech Republic: ‘’A seven-character complex password could be cracked in 31 seconds, while one with six or fewer characters could be cracked instantly. Shorter passwords with only one or two character types, such as only numbers or lowercase letters, or only numbers and letters, would take just minutes to crack.’’
How can we make hashing algorithms stronger?
As technology and computer power has progressed, so have hashing algorithms. MD5 was one of the first to be developed, and can now be cracked by most smartphones in a matter of seconds. This means hashing algorithms have needed to grow stronger, more complex, and most importantly, more resource (and time) intensive, to slow down the rate at which hashes can be computed.
In recent years, we’ve seen the development of SHA-1 or Secure Hash Algorithm 1, later replaced by SHA-2. Though SHA-2 is currently considered secure, eventually it will be deemed weak in comparison to advancing technology.
How can I protect against password cracking?
Part of this is the plaintext password you create (we’ll cover this separately). But there’s also a lot to be said about the hashing algorithms your applications use.
We’d advise:
- Ensuring your application is secure enough to prevent an attacker from gaining access to the backend database that may contain its user’s password hashes.
- Using the latest and most secure hashing algorithm to hash all passwords, particularly those with salting built in.
- Potentially moving away from hashing algorithms to a Key Derivation Function (KDF), which can be used to safely store passwords, or an OWASP-recommended hashing algorithm, such as Argon2ID or BCrypt. Both of these solutions are designed to require significant memory and computer power to generate, which in turn increases the amount of time needed to crack them.
- Enabling Multi-Factor Authentication (MFA) on all your accounts to reduce the risk of them being compromised, even if your password is cracked. You could also consider offloading the authentication mechanism of your application to a third-party provider, such as OAuth (Open Authorisation).
How do I choose a strong password?
When it comes to secure passwords, there’s lots to be aware of – particularly what might be easy to crack, and common passwords to avoid that appear in wordlists (you can see an example of one here). It’s best to use unpredictable passwords and a unique one for every application.
Other tips include:
- Never writing down or sharing your passwords
- Never recycling the same password or using different variations
- Avoiding quick and easy traps, like adding ‘!’ to passwords or swapping letters for numbers
- Creating ‘passphrases’ (sentences) rather than single ‘passwords’
- Using a password manager like 1Password, KeePass or BitWarden to generate and store your more secure, complex passwords
Remember, there’s no need to change a password unless your account is compromised or your password is weak or predictable. It’s actually considered bad practice to frequently change passwords as it can make them weaker, or more prone to be recycled, as the user invariably tends to reuse their ‘old’ password with only minor changes to the ‘new’ version, making it easy to guess by a bad actor. We’ve covered some other tips for secure passwords in this dedicated blog.
How do I know if my password has been compromised?
You’ll often hear about big hacks in the media, but don’t rely on the news alone. Checking free resources like haveibeenpwned – set up by Microsoft Regional Director, Troy Hunt – can reveal whether your email address has been compromised in a data breach.
How can CovertSwarm help make me more secure?
We help stop hackers in their tracks through a combination of red teaming, penetration testing and ethical hacking. In other words – we find the same vulnerabilities and holes that a bad actor would exploit, then hand the information over to you, so you can take swift action. And through our subscription model, we’re relentless in our approach, meaning we go deeper and wider than anyone else to keep your data safe.
To find out what we do, book a demo or training, or call in our Swarm, get in touch today.