In a recent article about online security, we learned how to store passwords on websites and create strong ones. Although hackers cannot reverse hashing algorithms, they can use many techniques to crack passwords and gain access to your account.
If a hacker discovers your password, it can be used to steal your identity, gain access to other accounts, set up phishing attacks to trick you into handing over more sensitive information, install spyware on your devices, or sell your private data to brokers.
Read the first in this series of texts: Passwords: Understand their importance and how to store them
Creating long and unique passwords for all your accounts is the first step towards preventing online privacy breaches. However, it is essential to create strong passwords that are highly resistant to password cracking. Unfortunately, many people are unaware of the various techniques used by hackers to gain access to digital accounts, which poses a significant problem.
Password cracking refers to the act of discovering passwords that are stored on a computer system. Password cracking tools leverage computing power to help hackers discover passwords by either using trial and error methods or specific password-cracking algorithms. It is a common technique used by cybercriminals to gain unauthorized access to sensitive data and accounts.
The article will discuss popular methods of password cracking and how to protect against them, as password attacks become more sophisticated and diverse.
This may interest you: Authorisation via Facebook, Google, Github
Password cracking methods
You may have come across different tips on creating a strong password, but to truly comprehend what makes a password secure, it’s important to know how hackers attempt to crack passwords.
The first step in password cracking is to steal their hashes generated by a cryptographic hash function. Hackers can gain access to password repositories by exploiting software vulnerabilities.
Once you have your password hashes, all you need to do is choose the proper techniques and tools to crack them. While new methods of attacking our online privacy are being developed every day, today we’re going to take a look at the most common ways cybercriminals try to crack passwords:
Brute force attacks
A brute force attack is a tactic used to gain unauthorised access to individual accounts, as well as an organisation’s systems and networks. The attacker systematically tries every possible combination of letters, numbers, and symbols to discover a password until finding the right one. Typically, the attacker uses software to automate this process and run exhaustive password combinations in a much shorter time.
Dictionary attack
In this method, the hacker systematically types every word from the dictionary to crack the password. It is a type of brute force attack, but instead of presenting different combinations of symbols, numbers, and words, this method uses words found in a dictionary. So, if your password is a single dictionary word, there is a risk that your account is vulnerable to hacking.
Rainbow tables
When you create an account, your password is stored on a server in an encrypted form called a hash. Cybercriminals can try to crack the hash of your password to gain access to your account. To do this, they use rainbow tables – lists of pre-calculated hashes of possible password combinations. If a hacker knows the hash of your password, they can try to find it in the rainbow tables, eliminating the need to crack it. This method is more efficient because it doesn’t require the hacker to find the password itself. If the hash matches, the breach is successful.
Social engineering
Exploiting technical vulnerabilities is not the only way to crack passwords. Social engineering manipulates victims to get sensitive information, like banking details or account credentials.
Criminals often use social engineering to manipulate human instincts, instead of finding new ways to break into secure and advanced technology. It’s much easier to trick someone into revealing their password than it is to try cracking it.
Phishing
Phishing is a type of social engineering used to obtain sensitive information for cybercrime.
There are different types of phishing — email spoofing, URL spoofing, website spoofing, smishing, and more. Most often, this is done by email, phone, and SMS.
There are several types of attacks wherein the attacker impersonates a person from a legitimate organisation. They create a sense of curiosity, fear, or haste in the victim to trick them into revealing sensitive information such as identification details, financial and banking details, passwords, etc.
A typical example of a phishing scam is an email that falsely claims the recipient’s credit card has been blocked, creating a sense of urgency to log in and unblock it. The email includes links to fake websites that look like the real ones. If we click the link and enter our login details, all our personal information will be sent to the attacker. It is essential to be cautious and verify the authenticity of such emails before clicking on links or entering personal information.
Some signs that phishing can be recognised include too-good-to-be-real offers, generic email greetings, emails from unusual senders with hyperlinks and attachments, and contests with unrealistic or valuable prizes.
Check the security of your application?
{Web application security audit}
IT systems require constant monitoring and should be subject to periodic security audits.
A little practice – password cracking tests
It is important to understand how passwords can be cracked for computer systems by using a hash. Here are some examples of how it can be done and some tips for creating stronger passwords. Please note that these examples are not from actual data breaches. The passwords were cracked using a standard computer with default settings, and not using the more advanced hardware typically used by cybercriminals. HashCat was the tool used for cracking the passwords. This software is freely available and designed to quickly crack very complex passwords using brute force and dictionary attacks. Hashcat has two modes of operation – CPU and GPU based.
Test 1
Assuming that the access data to the accounts was leaked consisted only of numbers and contained a maximum of 6 characters (these could be access codes to the door, credit card PINs or account security). We also know that the hashes were generated using the SHA-1 function.
We can crack this type of data using the HashCat program with the brute force attack option using the following command:
hashcat64 –m100 -a 3 hash_1.txt -1 ?d ?1?1?1?1?1?1 -i -o cracked_1.txt
where:
hash_1.txt – the name of the input file;
-m100 – the type of SHA-1 hash function;
-a 3 – the type of attack as “brute force attack”;
-1 ?d – mask of characters in the range 0-9;
-i – turning on the mode increment of the mask;
?1?1?1?1?1?1 – defining the mask as a 6-character string of digits;
-o cracked_1.txt – the file name for the output;
Results obtained:
| ID | HASH | PLAINTEXT | BREAKING TIME | CPU TEMPERATURE | CPU PERCENTAGE UTILIZATION |
| 1 | 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220 | 1234 | 0s | 56c | 3% |
| 2 | 011c945f30ce2cbafc452f39840f025693339c42 | 1111 | 0s | 56c | 25% |
| 3 | e575dccc71140754dd85beda5965b6a358150309 | 2022 | 0s | 56c | 0% |
| 4 | 0ebcdc7babc0de9a1d6c7d1c180bfcb8183fa492 | 2580 | 0s | 56c | 0% |
| 5 | 82517e6de979bb1ee47e35ec24261b2b26e30ae3 | 9371 | 0s | 56c | 0% |
| 6 | 697b2af641581a09d8eba2f33cdb255ddb55f22e | 9532 | 0s | 56c | 42% |
| 7 | 85786f17cc4bca8c0cdb82e596b7ae761b435c59 | 8264 | 0s | 56c | 52% |
| 8 | dea742e166979027ae70b28e0a9006fb1010e760 | 987654 | 0s | 56c | 52% |
| 9 | fdf8bc5814536f66012884e146a8887a44709a56 | 012345 | 0s | 56c | 63% |
Test 2
In this scenario, we assume that the system’s security policy permits 6-character passwords containing only letters and numbers, and that passwords are hashed using MD5.
hashcat64 –m0 -a 3 hash_2.txt -o cracked_2.txt
where:
hash_2.txt – the name of the input file;
-m0 – the type of MD5 hash function;
-a 3 – the type of attack as “brute force attack”;
-o cracked_1.txt – the file name for the output;
Results obtained:
| ID | HASH | PLAINTEXT | BREAKING TIME | CPU TEMPERATURE | CPU PERCENTAGE UTILIZATION |
| 1 | 1dc5ab404fa22f451d5d28e83b063a8d | Poland | 0s | 59c | 28% |
| 2 | d8578edf8458ce06fbc5bb76a58c5ca4 | qwerty | 0s | 58c | 40% |
| 3 | 96e79218965eb72c92a549dd5a330112 | 111111 | 1s | 60c | 63% |
| 4 | e10adc3949ba59abbe56e057f20f883e | 123456 | 0s | 60c | 25% |
| 5 | acbd9ab2f68bea3f5291f825416546a1 | Qwerty | 0s | 60c | 53% |
| 6 | e99a18c428cb38d5f260853678922e03 | abc123 | 0s | 61c | 84% |
| 7 | 6D932C406FA15164EE48FF5A52F81DAE | haslo1 | 1s | 64c | 54% |
Test 3
In the next task, it was necessary to use a dictionary attack. It’s relatively similar to a brute force attack, but this time we’re not checking individual letters, we’re checking dictionary words. The necessary information to create the password database was information about the form of initial passwords that the administrator set for each person (name_birth_year). To invoke the program I used the command:
hashcat64 -m1400 -a6 hash_3.txt path_to_wordlists ?d?d?d?d –-force -o cracked_3.txt
where:
hash_3.txt – the name of the input file;
-m1400 – the type of SHA-256 hash function;
-a 6 – attack type as plain:hex_plain;
-o cracked_3.txt – the file name for the output;
| ID | HASH | PLAINTEXT | BREAKING TIME | CPU TEMPERATURE | CPU PERCENTAGE UTILIZATION |
| 1 | c0e30cefefbe8fe857993089dc9baef5147f3893370d348ed3848c32c3ebe2f4 | aleksandra1990 | 5s | 57c | 37% |
| 2 | 540ce1070fad49265098767d9973cec7aee5f6cbf0c254af24223e27827bd286 | ania1963 | 8s | 58c | 40% |
| 3 | 546dac7fbd1f1681db204b26900d1d08b5de1077735c3d10a703a4e1fc10a3c4 | barbara1939 | 10s | 57c | 58% |
| 4 | 02c7b4cf45aa0bbf9303f34e03912b469027920d689fd0b20bff3a8c885182e0 | 1999 | 10s | 56c | 41% |
| 5 | 86c5fbb19829ddda62d2d7ae48591b3d1d287f13fc4487c8659f2804d2a497ea | adam1972 | 4s | 57c | 59% |
| 6 | 07bd4d21aa081ffc2d7904caf7721b617586dcb4c27a6d3dd0e16a59e45f6d39 | sylwia1954 | 10s | 57c | 39% |
Summary
A brute force attack can be used to crack any hash, but strong passwords that are too complex cannot be cracked within a single person’s lifetime. The speed of attacks is largely dependent on the computer components because despite the rapid development of hardware, we are still limited by them. It’s worth mentioning that the test attacks were done using short, weak passwords on a device with average parameters. However, cybercriminals can use specialized hardware or cloud resources that can provide them with much more computing power.
It’s possible to use certain websites and online tools to convert a hash back to plaintext, but they need to have the correct word and hash combination in their database. It’s important to avoid creating passwords that are easy to guess, such as common words or phrases, and instead choose a combination of numbers, lowercase and uppercase letters, and special characters. This is to prevent dictionary attacks which use common words and phrases to guess passwords.
It is unfortunate that many people tend to use the same password for different accounts, resulting in multiple users having the same hash. This increases the risk of a hacker gaining access to several accounts if they manage to crack one hash. It is important to note that the number of hashes a hacker needs to crack is much less than the number of users, making it easier for them to gain unauthorized access.
A strong password can mitigate the risk of unauthorized access to our account. However, even a highly randomized password, consisting of lowercase and uppercase letters, numbers, and special characters, may not be enough if you don’t keep it secure. In the next article, we will talk about good practices related to secure password management and look at the real threats that can arise from a breach of our account.
Looking to start a project or enhance your application’s security?
Schedule a free consultation with us to identify the best way to get started and potential areas of support.
