One of the biggest security threats is password cracking. Are you an IT system administrator concerned about the security of your organization’s data?
In this article, we’ll provide an overview of password cracking, discuss the importance of strong passwords, and detail the top 5 password cracking techniques hackers use.
We’ll also provide real-world examples of password-cracking attacks and their impact and recommendations for enhancing password security.
Whether you’re a seasoned IT professional or just getting started, you need to understand these password cracking techniques to help better secure your organization’s data.
What Goes Into Cracking a Password
Many users may have seen password cracking portrayed in movies as a quick and impressive feat. But, it is far less flashy and potentially much more time-consuming, according to this 2022 Hive report. Password cracking typically involves brute-forcing a password using various methods.
To understand password cracking, you must first understand how passwords are stored. There are two primary ways to store passwords: encryption and hashing.
Encryption transforms plaintext into reversible ciphertext, which allows password managers to store and display the original plaintext password.
On the other hand, hashing is the typical method used for storing passwords for online services.
Since service operators don’t need to reverse passwords, only to verify they are correct, passwords are hashed. Hash algorithms convert plaintext values into ciphertext in a one-way process.
Before attempting to crack a password, an attacker must retrieve the ciphertext value, often through man-in-the-middle attacks, hacked credential databases, or phishing attempts.
Ultimately, the attacker can begin their work once the ciphertext value has been obtained, typically as a hash value.
Password Cracking Techniques & Tools of the Trade
Once an attacker has obtained the hash, the next step is to crack the password. Most password-cracking techniques involve brute-forcing the password, but there are ways to make this process more efficient and straightforward.
Sometimes, the only way to find a password is to attempt every possible combination of letters, numbers, and symbols. If the password is random, many other techniques to make the job easier may not work.
This approach is the least efficient, but it may be the only option when all else fails.
An attacker may use a computer or a cluster of computers to attempt every possible variation. The longer the password, the more difficult and time-consuming the cracking process becomes.
As an example of times, here are some recent findings from the 2023 Hive report on how long, passwords with lowercase and uppercase letters verses more complex passwords (i.e., numbers, upper and lowercase letters, and symbols in an MD5 hash) take to crack.
|Lower & Uppercase Letters
Since hashing algorithms are publicly known, it is possible to create massive lists of pre-computed password hashes that a stolen hash can be compared against. Instead of generating a new hash for every variation, look up the stolen hash against a table to see if it matches.
There are many different hash methods and near-infinite password variations, which can quickly make managing and storing tables like this very difficult. There is another technique known as password salting that can also throw a wrench in this technique. If the server adds random values to the front and end of a hash (values known only to the server), then the resulting hashes won’t match known values anymore.
To make brute-forcing a password easier, attackers can use dictionaries of common words and phrases and company names, sports teams, etc. This narrows down the list of potential password choices.
In the past, users were recommended to change their password often (e.g., every 90 days) and to use complex passwords.
But, this led to users choosing passwords like !yoda2023#, which makes the job of a password cracker easier. Once the base word, yoda, is guessed through a dictionary attack, trying a few different symbols and numbers can quickly crack the password.
In the image below you can see the top 5 Star Wars themed base terms that are used in compromised passwords.
A more advanced form of a dictionary attack is the Markov chain attack. This involves a statistical analysis of a list of words stored in a table and used to calculate the probability of character placement in a brute-force attack.
Users commonly use the same root password across multiple services. If one password is broken on a service, an attacker can quickly try that same password or variations on other services to which the user may have access.
Known as credential stuffing, attackers will try the cracked password on multiple services to try different passwords on the same service. This can result in all of the user’s services being compromised.
Weak (Insecure) Password Hashes
Of course, not all password hashing schemes are created equal. As technology evolves, what was once considered secure may no longer be so. This is true for hash algorithms like MD5 or SHA-1, which can be cracked quickly.
A system that stores user password hashes with one of these algorithms could have its entire database cracked quickly.
Modern systems recommend more secure algorithms, such as bcrypt, which uses salted password hashes.
Password Cracking Tools
Though the techniques themselves are essential to know, many password crackers rely on readily available tools.
Though three standard tools are listed below, many more are available. All of the below are open-source and community-developed, which means they are ever-evolving.
- John the Ripper – Supports hundreds of hash types across many applications and is available on multiple platforms.
- Hashcat – Works with the CPU and GPU to provide a high-speed command-line password-cracking tool supporting many hash types.
- Ophcrack – A tool based around rainbow tables focused on LM and NTLM passwords used in Windows environments.
Though these tools make it far easier to crack retrieved hashes, plenty of custom tools can be tailored to individual organizations. A robust and up-to-date password policy is vital to protecting an organization.
How Users Should Protect Themselves
With all the talk of password cracking, what should a user do to protect themselves? Modern security organizations such as NIST, though their 800-63B guidelines, now recommend the following:
- Ditch the regular password change requirements. Only change passwords if requested explicitly by a user or if a password has been breached.
- Decrease the arbitrary need for password complexity and focus on overall password length, such as a minimum of 12 characters.
- All new passwords must be compared against commonly used or previously compromised passwords.
- Do not reuse passwords across different services to avoid attacks such as credential stuffing.
- Increased hash security means that even shorter passwords take far longer to crack, such as MD5 vs. PBKDF2.
Specops Password Policy: Keeping Organizations Safe
Cracking tools and techniques continue to become increasingly sophisticated and faster. To stay ahead of the curve, tools such as Specops Password Policy work hand-in-hand with Active Directory to ensure you are using the latest recommendations and following compliance requirements.
With features such as custom dictionaries, unique and customizable password policies, and powerful cracked password prevention with the Breached Password Protection add-on, Specops Password Policy goes a long way to keeping your organization safe.
Protecting Organizations Against Password Cracking
With the many tools and techniques available to password crackers, it’s no wonder that password breaches are regular occurrences.
Improve your security with tools such as Specops Password Policy and ensure your organization and users don’t fall victim to the many threat actors out there.
Stay ahead of the bad guys with securely designed password policies and root out previously cracked passwords with breached password detection!