A brief note - this article is about the theory of how to crack passwords. Understanding how cybercriminals execute attacks is extremely important for understanding how to secure systems against those types of attacks.
Attempting to hack a system you do not own is likely illegal in your jurisdiction (plus hacking your own systems may [and often does] violate any warranty for that product).
Let's start with the basics. What is a brute force attack?
This type of attack involves repeatedly trying to login as a user by trying every possible letter, number, and character combination (using automated tools).
This can be done either online (so in real-time, by continually trying different username/password combinations on accounts like social media or banking sites) or offline (for example if you've obtained a set of hashed passwords and are trying to crack them offline).
Offline isn't always possible (it can be difficult to obtain a set of hashed passwords), but it is much less noisy. This is because a security team will probably notice many, many failed login accounts from the same account, but if you can crack the password offline, you won't have a record of failed login attempts.
This is relatively easy with a short password. It becomes exponentially more difficult with a longer password because of the sheer number of possibilities.
For example, if you know that someone is using a 5 character long password, composed only of lowercase letters, the total number of possible passwords is 26^5 (26 possible letters to choose from for the first letter, 26 possible choices for the second letter, etc.), or 11,881,376 possible combinations.
But if someone is using an 11 character password, only of lowercase letters, the total number of possible passwords is 26 ^11, or 3,670,344,486,987,776 possible passwords.
When you add in uppercase letters, special characters, and numbers, this gets even more difficult and time consuming to crack. The more possible passwords there are, the harder it is for someone to successfully login with a brute force attack.
How to protect yourself
This type of attack can be defended against in a couple of different ways. First, you can use sufficiently long, complex passwords (at least 15 characters). You can also use unique passwords for each account (use a password manager!) to reduce the danger from data breaches.
A security team can lock out an account after a certain number of failed login attempts.
Here's an article on how to execute a brute force attack.
How can you crack passwords faster?
A dictionary attack involves trying to repeatedly login by trying a number of combinations included in a precompiled 'dictionary', or list of combinations.
This is usually faster than a brute force attack because the combinations of letters and numbers have already been computed, saving you time and computing power.
But if the password is sufficiently complex (for example 1098324ukjbfnsdfsnej) and doesn't appear in the 'dictionary' (the precompiled list of combinations you're working from), the attack won't work.
It is frequently successful because, often when people choose passwords, they choose common words or variations on those words (for example, 'password' or '[email protected]').
A hacker might also use this type of attack when they know or guess a part of the password (for example, a dog's name, children's birthdays, or an anniversary - information a hacker can find on social media pages or other open source resources).
Similar protection measures to those described above against brute force attacks can prevent these types of attacks from being successful.
What if you already have a list of hashed passwords?
Passwords are stored in the /etc/shadow file for Linux and C:\Windows\System32\config file for Windows (which are not available while the operating system is booted up).
If you've managed to get this file, or if you've obtained a password hash in a different way such as sniffing traffic on the network, you can try 'offline' password cracking.
Whereas the attacks above require trying repeatedly to login, if you have a list of hashed passwords, you can try cracking them on your machine, without setting off alerts generated by repeated failed login attempts. Then you only try logging in once, after you've successfully cracked the password (and therefore there's no failed login attempt).
You can use brute force attacks or dictionary attacks against the hash files, and may be successful depending on how strong the hash is.
Wait a minute - what's hashing?
Recognize this message? It says 'Hi my name is megan'
This one is the first paragraph of this article. Yes, it looks like nonsense, but it's actually a 'hash'.
A hash function allows a computer to input a string (some combination of letters, numbers, and symbols), take that string, mix it up, and output a fixed length string. That's why both strings above are of the same length, even though the strings' inputs were very different lengths.
Hashes can be created from nearly any digital content. Basically all digital content can be reduced to binary, or a series of 0s and 1s. Therefore, all digital content (images, documents, etc.) can be hashed.
There are many different hashing functions, some of which are more secure than others. The hashes above were generated with MD5 (MD stands for "Message Digest"). Different functions also differ in the length of hash they produce.
The same content in the same hash function will always produce the same hash. However, even a small change will alter the hash entirely. For example,
Is the hash for 'Hi my name is Megan' Just capitalizing the M in Megan completely changed the hash from above.
Hashes are also one-way functions (meaning they can't be reversed). This means that hashes (unique and one-way) can be used as a type of digital fingerprint for content.
What's an example of how hashes are used?
Hashes can be used as verification that a message hasn't been changed.
When you send an email, for example, you can hash the entire email and send the hash as well. Then the recipient can run the received message through the same hash function to check if the message has been tampered with in transit. If the two hashes match, the message hasn’t been altered. If they don’t match, the message has been changed.
Also, passwords are usually hashed when they're stored. When a user enters their password, the computer computes the hash value and compares it to the stored hash value. This way the computer doesn’t store passwords in plaintext (so some nosy hacker can't steal them!).
If someone is able to steal the password file, the data is useless because the function can’t be reversed (though there are ways, like rainbow tables, to figure out what plaintext creates the known hash).
What's the problem with hashes?
If a hash can take data of any length or content, there are unlimited possibilities for data which can be hashed.
Since a hash converts this text into a fixed length content (for example, 32 characters), there are a finite number of combinations for a hash. It is a very very large number of possibilities, but not an infinite one.
Eventually two different sets of data will yield the same hash value. This is called a collision.
If you have one hash and you're trying to go through every single possible plaintext value to find the plaintext which matches your hash, it will be a very long, very difficult process.
However, what if you don't care which two hashes collide?
This is called the 'birthday problem' in mathematics. In a class of 23 students, the likelihood of someone having a birthday on a specific day is around 7%, but the probability that any two people share the same birthday is around 50%.
The same type of analysis can be applied to hash functions in order to find any two hashes which match (instead of a specific hash which matches the other).
To avoid this, you can use longer hash functions such as SHA3, where the possibility of collisions is lower.
You can try generating your own hash functions for SHA3 here and MD5 here.
You can try to brute force hashes, but it takes a very long time. The faster way to do that, is to use pre-computed rainbow tables (which are similar to dictionary attacks).
It seems really easy to get hacked. Should I be concerned?
The most important thing to remember about hacking is that no one wants to do more work than they have to do. For example, brute forcing hashes can be extremely time consuming and difficult. If there's an easier way to get your password, that's probably what a nefarious actor will try first.
That means that enabling basic cyber security best practices is probably the easiest way to prevent getting hacked. In fact, Microsoft recently reported that just enabling 2FA will end up blocking 99.9% of automated attacks.
Popular password cracking tools
If you read this far, tweet to the author to show them you care. Tweet a thanks
Learn to code for free. freeCodeCamp's open source curriculum has helped more than 40,000 people get jobs as developers. Get started
What is Password Cracking?
Password cracking is the process of attempting to gain Unauthorized access to restricted systems using common passwords or algorithms that guess passwords. In other words, it’s an art of obtaining the correct password that gives access to a system protected by an authentication method.
Password cracking employs a number of techniques to achieve its goals. The cracking process can involve either comparing stored passwords against word list or use algorithms to generate passwords that match
In this Tutorial, we will introduce you to the common password cracking techniques and the countermeasures you can implement to protect systems against such attacks.
Topics covered in this tutorial
What is password strength?
Password strength is the measure of a password’s efficiency to resist password cracking attacks. The strength of a password is determined by;
- Length: the number of characters the password contains.
- Complexity: does it use a combination of letters, numbers, and symbol?
- Unpredictability: is it something that can be guessed easily by an attacker?
Let’s now look at a practical example. We will use three passwords namely
For this example, we will use the password strength indicator of Cpanel when creating passwords. The images below show the password strengths of each of the above-listed passwords.
Note: the password used is password the strength is 1, and it’s very weak.
Note: the password used is password1 the strength is 28, and it’s still weak.
Note: The password used is #password1$ the strength is 60 and it’s strong.
The higher the strength number, better the password.
Let’s suppose that we have to store our above passwords using md5 encryption. We will use an online md5 hash generator to convert our passwords into md5 hashes.
The table below shows the password hashes
|Password||MD5 Hash||Cpanel Strength Indicator|
We will now use http://www.md5this.com/ to crack the above hashes. The images below show the password cracking results for the above passwords.
As you can see from the above results, we managed to crack the first and second passwords that had lower strength numbers. We didn’t manage to crack the third password which was longer, complex and unpredictable. It had a higher strength number.
Password cracking techniques
There are a number of techniques that can be used to crack passwords. We will describe the most commonly used ones below;
- Dictionary attack– This method involves the use of a wordlist to compare against user passwords.
- Brute force attack– This method is similar to the dictionary attack. Brute force attacks use algorithms that combine alpha-numeric characters and symbols to come up with passwords for the attack. For example, a password of the value “password” can also be tried as [email protected]$$word using the brute force attack.
- Rainbow table attack– This method uses pre-computed hashes. Let’s assume that we have a database which stores passwords as md5 hashes. We can create another database that has md5 hashes of commonly used passwords. We can then compare the password hash we have against the stored hashes in the database. If a match is found, then we have the password.
- Guess– As the name suggests, this method involves guessing. Passwords such as qwerty, password, admin, etc. are commonly used or set as default passwords. If they have not been changed or if the user is careless when selecting passwords, then they can be easily compromised.
- Spidering– Most organizations use passwords that contain company information. This information can be found on company websites, social media such as facebook, twitter, etc. Spidering gathers information from these sources to come up with word lists. The word list is then used to perform dictionary and brute force attacks.
Spidering sample dictionary attack wordlist1976 <founder birth year> smith jones <founder name> acme <company name/initials> built|to|last <words in company vision/mission> golfing|chess|soccer <founders hobbies
Password cracking tool
These are software programs that are used to crack user passwords. We already looked at a similar tool in the above example on password strengths. The website www.md5this.com uses a rainbow table to crack passwords. We will now look at some of the commonly used tools
John the Ripper
John the Ripper uses the command prompt to crack passwords. This makes it suitable for advanced users who are comfortable working with commands. It uses to wordlist to crack passwords. The program is free, but the word list has to be bought. It has free alternative word lists that you can use. Visit the product website https://www.openwall.com/john/ for more information and how to use it.
Cain & Abel
Cain & Abel runs on windows. It is used to recover passwords for user accounts, recovery of Microsoft Access passwords; networking sniffing, etc. Unlike John the Ripper, Cain & Abel uses a graphic user interface. It is very common among newbies and script kiddies because of its simplicity of use. Visit the product website https://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml for more information and how to use it.
Ophcrack is a cross-platform Windows password cracker that uses rainbow tables to crack passwords. It runs on Windows, Linux and Mac OS. It also has a module for brute force attacks among other features. Visit the product website https://ophcrack.sourceforge.io/ for more information and how to use it.
Password Cracking Counter Measures
- An organization can use the following methods to reduce the chances of the passwords been cracked
- Avoid short and easily predicable passwords
- Avoid using passwords with predictable patterns such as 11552266.
- Passwords stored in the database must always be encrypted. For md5 encryptions, its better to salt the password hashes before storing them. Salting involves adding some word to the provided password before creating the hash.
- Most registration systems have password strength indicators, organizations must adopt policies that favor high password strength numbers.
Hacking Activity: Hack Now!
In this practical scenario, we are going to crack Windows account with a simple password. Windows uses NTLM hashes to encrypt passwords. We will use the NTLM cracker tool in Cain and Abel to do that.
Cain and Abel cracker can be used to crack passwords using;
- Dictionary attack
- Brute force
We will use the dictionary attack in this example. You will need to download the dictionary attack wordlist here 10k-Most-Common.zip
For this demonstration, we have created an account called Accounts with the password qwerty on Windows 7.
Password cracking steps
- Open Cain and Abel, you will get the following main screen
- Make sure the cracker tab is selected as shown above
- Click on the Add button on the toolbar.
- The following dialog window will appear
- The local user accounts will be displayed as follows. Note the results shown will be of the user accounts on your local machine.
- Right click on the account you want to crack. For this tutorial, we will use Accounts as the user account.
- The following screen will appear
- Right click on the dictionary section and select Add to list menu as shown above
- Browse to the 10k most common.txt file that you just downloaded
- Click on start button
- If the user used a simple password like qwerty, then you should be able to get the following results.
- Note: the time taken to crack the password depends on the password strength, complexity and processing power of your machine.
- If the password is not cracked using a dictionary attack, you can try brute force or cryptanalysis attacks.
- Password cracking is the art of recovering stored or transmitted passwords.
- Password strength is determined by the length, complexity, and unpredictability of a password value.
- Common password techniques include dictionary attacks, brute force, rainbow tables, spidering and cracking.
- Password cracking tools simplify the process of cracking passwords.
Most popular password cracking techniques: learn how to protect your privacy
There are many ways to hack into an account. Password cracking is one of them – involves using various computational and other methods to break through the password authentication step. We’ll be discussing various password cracking techniques in this article. Nowadays, you can even find specialized password cracking tools, which don’t have to be used only for ill purposes. But before we go down to details, let’s discuss what password cracking is.
What is password cracking?
Password cracking means recovering passwords from a computer or from data that a computer transmits. This doesn’t have to be a sophisticated method. A brute-force attack where all possible combinations are checked is also password cracking.
If the password is stored as plaintext, hacking the database gives the attacker all account information. However, now most passwords are stored using a key derivation function (KDF). This takes a password and runs it through a one-way encryption cipher, creating what’s known as a “hash.” The server stores the hash-version of the password.
It’s easy to try different hashed passwords at a high rate when using a GPU or botnet. That’s why most password hash functions use key stretching algorithms, which increase the resources (and, therefore, time) needed for a brute-force attack.
Some methods of password cracking become significantly more difficult if your password uses salting or key stretching. Unfortunately, there are still some services that store unencrypted or weakly-encrypted passwords on their servers.
Top-8 password cracking techniques used by hackers
Naturally, hackers want to use the easiest available method for password cracking. More often than not, that method is phishing, described in detail below. As long as the human is the weakest link of any security system, targeting her or him is the best bet. If that fails, there are plenty of other password cracking techniques to try.
While passwords are a very popular account security tool, they aren’t necessarily the safest option. That’s especially the case if a user creates a weak password, reuses it, and stores its plaintext copy somewhere online. That’s why using a password manager, biometric data (which has its cons too) or adding a second factor will make most of the cracking methods below useless.
A typical password cracking attack looks like this:
- Get the password hashes
- Prepare the hashes for a selected cracking tool
- Choose a cracking methodology
- Run the cracking tool
- Evaluate the results
- If needed, tweak the attack
- Go to Step 2
Now let’s discuss the most popular password cracking techniques. There are many cases when these are combined together for greater effect.
Phishing is the most popular technique that involves luring the user into clicking on an email attachment or a link that contains malware. The methods for doing so usually involve sending some important and official-looking email that warns to take action before it’s too late. In the end, password-extracting software is installed automatically or the user enters his account details into a look-alike website.
There are different types of phishing tailored for a particular situation, so we’ll look at the few common ones:
- Spear phishing targets a particular individual and tries to gather as much personal information as possible before the attack.
- Whaling targets senior executives and uses company-specific content, which can be a customer complaint or a letter from a shareholder.
- Voice phishing involves a fake message from a bank or some other institution, asking a user to call the helpline and enter his account data.
As you’ve seen, malware is often part of the phishing technique too. However, it can work without the “social engineering” factor if the user is naive enough (he usually is). Two of the most common malware types for stealing passwords are keyloggers and screen scrapers. As their names imply, the former sends all your keystrokes to the hacker, and the latter uploads the screenshots.
Other types of malware can also be used for password stealing. A backdoor trojan can grant full access to the user’s computer, and this can happen even when installing so-called grayware. Also known as potentially unwanted applications, these programs usually install themselves after clicking the wrong “Download” button on some website. While most will display ads or sell your web usage data, some might install much more dangerous software.
3. Social engineering
This password cracking technique relies on gullibility and may of may not employ sophisticated software or hardware – phishing is a type of social engineering scheme.
Technology has revolutionized social engineering. In 2019 hackers used AI and voice technology to impersonate a business owner and fooled the CEO to transfer $243,000. This attack demonstrated that faking voice is no longer the future, and video imitation will become commonplace sooner than you think.
Usually, the attacker contacts the victim disguised as a representative of some institution, trying to get as much personal info as possible. There’s also a chance that by posing as a bank or Google agent, he or she might get the password or credit card info right away. Contrary to the other techniques, social engineering can happen offline by calling or even personally meeting the victim.
4. Brute force attack
If all else fails, password crackers have the brute force attack as a last resort. It basically involves trying all possible combinations until you hit the jackpot. However, password cracking tools allow to modify the attack and significantly reduce the time needed to check all variations. The user and his habits are the weak links again here.
If the attacker was able to brute force a password, he will assume the password has been re-used and try the same combination of login credentials on other online services. This is known as credential stuffing and is very popular in the age of data breaches.
5. Dictionary attack
A dictionary attack is a type of brute force attack and it’s often used together with other brute force attack types. It automatically checks if the password is not some often-used phrase like “iloveyou” by looking at the dictionary. The attacker might also add passwords from other leaked accounts. In such a scenario, the chance of a successful dictionary attack increases substantially.
If users were to choose strong passwords that contain not only one word, such attacks would quickly downgrade to a simple brute force attack. In case you use a password manager, then generating a random set of symbols is the best choice. And if you don’t, a long phrase made of at least five words is great too. Just don’t forget to re-use it for every account.
Spidering is a supplementary password cracking technique that helps with the above-mentioned brute force and dictionary attacks. It involves gathering information about the victim, usually a company, presuming that it uses some of that info for password creation. The goal is to create a word list that would help guess the password faster.
After checking the company’s website, social media, and other sources, one can come up with something like this:
- Founder name – Mark Zuckerberg
- Founder DOB – 1984 05 14
- Founder’s sister – Randi
- Founder’s other sister – Donna
- Company name – Facebook
- Headquarters – Menlo Park
- Company mission – Give people the power to build community and bring the world closer together
Now all you have to do is upload it to a proper password cracking tool and reap the benefits.
While guessing is far from the most popular password cracking technique, it relates to business-oriented spidering above. Sometimes the attacker doesn’t even have to gather information about the victim because trying some of the most popular passphrases is enough. If you recall using one or more of the pathetic passwords in the list below, we strongly recommend changing them now.
Some of the most common passwords worldwide:
Even though the number of people who use simple or default passwords like “password” “qwerty,” or “123456” is diminishing, many still love easy and memorable phrases. Those often include names of pets, lovers, pet-lovers, ex-pets, or something related to the actual service, like its name (lowercase).
8. Rainbow table attack
As mentioned above, one of the first things to do when password cracking is getting the password in the form of a hash. Then you create a table of common passwords and their hashed versions and check if the one you want to crack matches any entries. Experienced hackers usually have a rainbow table that also involves leaked and previously cracked passwords, making it more effective.
Most often, rainbow tables have all possible passwords that make them extremely huge, taking up hundreds of GBs. On the other hand, they make the actual attack faster because most of the data is already there and you only need to compare it with the targeted hash-password. Luckily, most users can protect themselves from such attacks with large salts and key stretching, especially when using both.
If the salt is large enough, say 128-bit, two users with the same password will have unique hashes. This means that generating tables for all salts will take an astronomical amount of time. As for the key stretching, it increases the hashing time and limits the number of attempts that the attacker can make in given time.
Password cracking tools
No password cracking starts without proper tools. When you have to guess from billions of combinations, some computational assistance is more than welcome. As always, each tool has its pros and cons.
Here is a list, in no particular order, of the most popular password cracking tools.
1. John the Ripper
Featured in many popular password cracking tools lists, John the Ripper is a free, open-source, command-based application. It’s available for Linux and macOS while Windows and Android users get Hash Suite, developed by a contributor.
John the Ripper supports a massive list of different cipher and hash types. Some of those are:
- Unix, macOS, and Windows user passwords
- Web applications
- Database servers
- Network traffic captures
- Encrypted private keys
- Disks and filesystems
There’s also a Pro version with extra features and native packages for supported OS. Word lists used in password cracking are on sale, but free options are available as well.
2. Cain and Abel
Downloaded almost 2 million times from its official source, Cain & Abel is another popular tool for password cracking. But contrary to John the Ripper, it uses GUI, making it instantly more user-friendly. That and the fact that it’s available on Windows only makes Cain & Abel a go-to tool for amateurs, also known as script kiddies.
This is a multi-purpose tool, capable of many different functions. Cain & Abel can act as a packet analyzer, record VoIP, analyze route protocols, or scan for wireless networks and retrieve their MAC addresses. If you already have the hash, this tool will offer a dictionary or brute force attack option. Cain & Abel can also display passwords that are hiding beneath the asterisks.
Ophcrack is a free and open-source password cracking tool that specializes in rainbow table attacks. To be more precise, it cracks LM and NTLM hashes where the former addresses Windows XP and earlier OSs and the latter associates with Windows Vista and 7. NTLM is also available, to a certain degree, on Linux and freeBSD. Both of these hash types are insecure – it’s possible to crack a NTLM hash in less than 3 hours with a fast computer.
As you can see in the screenshot above, it took Ophcrack merely six seconds to crack an 8-symbol password while using a rainbow table that includes letters, numbers, and uppercases. That’s even more variables than a mainstream password usually has.
This tool comes with free Windows XP/Vista/7 rainbow tables and a brute force attack feature for simple passwords. Ophcrack is available on Windows, macOS, and Linux.
4. THC Hydra
Arguably the strongest point of THC Hydra is not the possible number of heads it can grow but the sheer number of protocols it supports that seems to be growing too! This is an open-source network login password cracking tool that works with Cisco AAA, FTP, HTTP-Proxy, IMAP, MySQL, Oracle SID, SMTP, SOCKS5, SSH, and Telnet, to name but a few.
The methods available with THC Hydra include brute force and dictionary attacks while also using wordlists generated by other tools. This password cracker is known for its speed thanks to the multi-threaded combination testing. It can even run checks on different protocols simultaneously. THC Hydra is available on Windows, macOS, and Linux.
Positioning itself as the world’s fastest password cracker, Hashcat is a free open-source tool that’s available on Windows, macOS, and Linux. It offers a number of techniques, from simple brute force attack to hybrid mask with wordlist.
Hashcat can utilize both your CPU and GPU, even at the same time. This makes cracking multiple hashes simultaneously much faster. But what makes this tool truly universal is the number of supported hash types. Hashcat can decipher MD5, SHA3-512, ChaCha20, PBKDF2, Kerberos 5, 1Password, LastPass, KeePass, and many more. In fact, it supports over 300 hash types.
But before you can start cracking, you need to have the password hash first. Here are some of the most popular tools for getting hash:
- Mimikatz. Known as a password audit and recovery app, Mimikatz can also be used for malign hash retrieval. In fact, it might as well extract plaintext passwords or PIN codes.
- Wireshark. Wireshark enables you to do packet sniffing, which is number ten on our password cracking techniques list above. Wireshark is an award-winning packet analyzer used not only by hackers but also by business and governmental institutions.
- Metasploit. This is a popular penetration testing framework. Designed for security professionals, Metasploit can also be used by hackers to retrieve password hashes.
How to create a strong password?
No matter how good your memory or your password manager is, failing to create a good password will lead to undesired consequences. As we discussed in this article, password cracking tools can decipher weak passwords in days, if not hours. That’s why we feel obliged to remind some of the key tips for coming up with a strong passphrase:
- Length. As it often is, length is the most important factor.
- Combine letters, numbers, and special characters. This greatly increases the number of possible combinations.
- Do not re-use. Even if your password is strong in theory, re-using it will leave you vulnerable.
- Avoid easy-to-guess phrases. A word that’s in the dictionary, on your pet’s collar or on your license plate is a big NO.
If you would like to learn more about creating good passwords, consider checking out our How to create a strong password article. You can also try our password generator that will help you to come up with safe passwords.
Is password cracking illegal?
There’s no clear cut answer to this. For starters, all password cracking tools described above are perfectly legal. That’s because they play a key role in checking for vulnerabilities and can also help recover a lost password. What’s more, such tools help law enforcement fight crime. So as it often is, password cracking can help the good and the bad cause.
As to the password cracking as an activity, it depends on two factors. One, the hacker doesn’t have the authority to access that particular data. Two, the goal is to steal, damage, or otherwise misuse the data. Even if only one of these factors is present, a hacker will most likely receive a punishment, ranging from a fine to multi-year imprisonment.
To sum up, if there’s no bug bounty, no agreement to do a penetration testing, and no request to help recover a lost password, cracking is illegal.
Password cracking is easier than most users think. There are plenty of free tools and some of them are easy enough even for novice crackers. There’s also more than one password cracking technique to try. Starting with a simple brute force attack and moving on to sophisticated methods that combine different techniques, password cracking is evolving every day.
The best defense against password cracking is using a strong password. Using enough symbols and different characters ensures that even the fastest computer won’t crack your account in this lifetime. And since remembering multiple strong passwords is unlikely, the best bet is to use a reliable password manager. Two-factor authentication is still a pain in the rear for any hacker, so adding a finger or face ID will keep your data safe, at least for the foreseeable future.fcomm
The top 12 password-cracking techniques used by hackers
For many years, passwords were considered to be an acceptable form of protecting one’s privacy when it came to the digital world. However, as cryptography and biometrics started to become more widely available to the public, the flaws in this simple method of authentication became more noticeable.
It’s worth taking into account the role of a leaked password in one of the biggest cyber security stories of the last two years, the SolarWinds hack. It was revealed that ‘solarwinds123’, a password created and leaked by an intern, had been publicly accessible through a private GitHub repository since June 2018, enabling hackers to plan and carry out the massive supply chain attack. Despite this, even if the password hadn’t been leaked, it wouldn’t have been hard for attackers to guess it. In the words of US politician Katie Porter, most parents utilise a stronger password to stop their children from “watching too much YouTube on their iPad”.
Passwords that are weak or easy to guess are more common than you might expect: recent findings from the NCSC found that around one in six people uses the names of their pets as their passwords, making them highly predictable. To make matters worse, these passwords tend to be reused across multiple sites, with one in three people (32%) having the same password to access different accounts.
It should come as no surprise that passwords are the worst nightmare of a cyber security expert. To remedy this issue, there are steps worth taking, like implementing robust multi-layer authentication. It is also worthwhile mitigating risks to consider the steps cyber criminals must take to hack your account and “know your enemy”. We’ve put together the top 12 password-cracking techniques used by attackers to enable you and your business to be better prepared.
12 password-cracking techniques used by hackers:
Perhaps the most commonly-used hacking technique today, phishing is the practice of attempting to steal user information by disguising malicious content as a trustworthy communication. Although the term is generally associated with email, and there are terms to describe other mediums - such as ‘smishing’ (SMS phishing) - phishing can occur across any type of electronic communication.
Preparing for AI-enabled cyber attacks
MIT technology review insightsDownload now
The typical tactic is to trick a user into clicking on an embedded link or downloading an attachment. Instead of being directed to a helpful resource, a malicious file is downloaded and executed on the user’s machine. What happens next depends entirely on the malware being executed – some may encrypt files and prevent the user from accessing the machine, while others may attempt to stay hidden in order to act as a backdoor for other malware.
As computer literacy has improved over the years, and as users have grown accustomed to online threats, phishing techniques have had to become more sophisticated. Today’s phishing usually involves some form of social engineering, where the message will appear to have been sent from a legitimate, often well-known company, informing their customers that they need to take action of some kind. Netflix, Amazon, and Facebook are often used for this purpose, as it’s highly likely that the victim will have an account associated with these brands.
The days of emails from supposed princes in Nigeria looking for an heir, or firms acting on behalf of wealthy deceased relatives, are few and far between these days, although you can still find the odd, wildly extravagant, claim here and there.
Our recent favourite is the case of the first Nigerian astronaut who is unfortunately lost in space and needs us to act as a man in the middle for a $3 million dollar transfer to the Russian Space Agency – which apparently does return flights.
2. Social engineering
Speaking of social engineering, this typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance. This can be just as effective if done in person, using a fake uniform and credentials, although that’s far less common these days.
Successful social engineering attacks can be incredibly convincing and highly lucrative, as was the case when the CEO of a UK-based energy company lost £201,000 to hackers after they tricked him with an AI tool that mimicked his assistant’s voice.
Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of malware, malicious software designed to steal personal data. Alongside highly disruptive malicious software like ransomware, which attempts to block access to an entire system, there are also highly specialised malware families that target passwords specifically.
Keyloggers, and their ilk, record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers.
4. Brute force attack
Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system.
A simple example of a brute force attack would be a hacker simply guessing a person’s password based on relevant clues, however, they can be more sophisticated than that. Credential recycling, for example, relies on the fact that many people reuse their passwords, some of which will have been exposed by previous data breaches. Reverse brute force attacks involve hackers taking some of the most commonly used passwords and attempting to guess associated usernames.
Most brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.
5. Dictionary attack
The dictionary attack is a slightly more sophisticated example of a brute force attack.
This uses an automated process of feeding a list of commonly-used passwords and phrases into a computer system until something fits. Most dictionaries will be made up of credentials gained from previous hacks, although they will also contain the most common passwords and word combinations.
This technique takes advantage of the fact that many people will use memorable phrases as passwords, which are usually whole words stuck together. This is largely the reason why systems will urge the use of multiple character types when creating a password.
6. Mask attack
Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.
For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.
The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.
7. Rainbow table attack
Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or a cryptographic alias, making it impossible to determine the original password without the corresponding hash. In order to bypass this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to break into a system (used in brute force attacks).
Rainbow tables go one step further, as rather than simply providing a password and its hash, these store a precompiled list of all possible plain text versions of encrypted passwords based on a hash algorithm. Hackers are then able to compare these listings with any encrypted passwords they discover in a company’s system.
Much of the computation is done before the attack takes place, making it far easier and quicker to launch an attack, compared to other methods. The downside for cyber criminals is that the sheer volume of possible combinations means rainbow tables can be enormous, often hundreds of gigabytes in size.
8. Network analysers
Network analysers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.
Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analysers as part of the first phase of an attack, followed up with brute force attacks.
Of course, businesses can use these same tools to scan their own networks, which can be especially useful for running diagnostics or for troubleshooting. Using a network analyser, admins can spot what information is being transmitted in plain text, and put policies in place to prevent this from happening.
The only way to prevent this attack is to secure the traffic by routing it through a VPN or something similar.
Spidering refers to the process of hackers getting to know their targets intimately in order to acquire credentials based on their activity. The process is very similar to techniques used in phishing and social engineering attacks, but involves a far greater amount of legwork on the part of the hacker - although it’s generally more successful as a result.
How a hacker might use spidering will depend on the target. For example, if the target is a large company, hackers may attempt to source internal documentation, such as handbooks for new starters, in order to get a sense of the sort of platforms and security the target uses. It’s in these that you often find guides on how to access certain services, or notes on office Wi-Fi usage.
It’s often the case that companies will use passwords that relate to their business activity or branding in some way - mainly because it makes it easier for employees to remember. Hackers are able to exploit this by studying the products that a business creates in order to build a hitlist of possible word combinations, which can be used to support a brute force attack.
As is the case with many other techniques on this list, the process of spidering is normally supported by automation.
10. Offline cracking
It’s important to remember that not all hacking takes place over an internet connection. In fact, most of the work takes place offline, particularly as most systems place limits on the number of guesses allowed before an account is locked.
Offline hacking usually involves the process of decrypting passwords by using a list of hashes likely taken from a recent data breach. Without the threat of detection or password form restrictions, hackers are able to take their time.
Of course, this can only be done once an initial attack has been successfully launched, whether that's a hacker gaining elevated privileges and accessing a database, by using a SQL injection attack, or by stumbling upon an unprotected server.
11. Shoulder surfing
You might think the idea of someone looking over your shoulder to see your password is a product of Hollywood, but this is a genuine threat, even in 2020.
Brazen examples of this include hackers disguising themselves in order to gain access to company sites and, quite literally, look over the shoulders of employees to grab sensitive documents and passwords. Smaller businesses are perhaps most at risk of this, given that they’re unable to police their sites as effectively as a larger organisation.
Security experts recently warned of a vulnerability in the authentication process used by WhatsApp. Users trying to use WhatsApp on a new device must first enter a unique code that's sent via a text message, which can be used to restore a user's account and chat history from a backup. It was found that if a hacker was able to obtain a user's phone number, they are able to download the app to a clean device and issue a prompt for a new code, which, if they are in spying distance, they could copy as it arrives on the user's own device.
If all else fails, a hacker can always try and guess your password. While there are many password managers available that create strings that are impossible to guess, many users still rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is often contained in the very profile pages that the password is trying to protect.
The best way to remove this as a potential avenue for criminals is to maintain password hygiene and make use of password managers, many of which are free.
Share on FacebookShare on TwitterShare on LinkedInShare via Email
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download
To crack any password how
Understanding the password-cracking techniques hackers use to blow your online accounts wide open is a great way to ensure it never happens to you.
You certainly will always need to change your password, and sometimes more urgently than you think, but mitigating against theft is a great way to stay on top of your account security. You can always head to www.haveibeenpwned.com to check if you’re at risk, but simply thinking your password is secure enough to not be hacked into is a bad mindset to have.
So, to help you understand just how hackers get your passwords – secure or otherwise – we’ve put together a list of the top ten password-cracking techniques used by hackers. Some of the below methods are certainly outdated, but that doesn’t mean they aren’t still being used. Read carefully and learn what to mitigate against.
The Top Ten Password-cracking Techniques Used by Hackers
There’s an easy way to hack, ask the user for his or her password. A phishing email leads the unsuspecting reader to a spoofed log in page associated with whatever service it is the hacker wants to access, usually by requesting the user to put right some terrible problem with their security. That page then skims their password and the hacker can go use it for their own purpose.
Why bother going to the trouble of cracking the password when the user will happily give it to you anyway?
2. Social Engineering
Social engineering takes the whole “ask the user” concept outside of the inbox that phishing tends to stick with and into the real world.
A favorite of the social engineer is to call an office posing as an IT security tech guy and simply ask for the network access password. You’d be amazed at how often this works. Some even have the necessary gonads to don a suit and name badge before walking into a business to ask the receptionist the same question face to face.
Time and again, it’s been shown that many businesses either don’t have good security in place or people are too friendly and trusting when they shouldn’t be, such as giving people access to sensitive locations because of a uniform or sob story.
Malware comes in many forms, such as a keylogger, also known as a screen scraper, which records everything you type or takes screenshots during a login process, and then forwards a copy of this file to hacker central.
Some malware will look for the existence of a web browser client password file and copy it, which, unless properly encrypted, will contain easily accessible saved passwords from the user’s browsing history.
4. Dictionary Attack
The dictionary attack uses a simple file containing words that can be found in a dictionary, hence its rather straightforward name. In other words, this attack uses exactly the kind of words that many people use as their password.
Cleverly grouping words together such as “letmein” or “superadministratorguy” will not prevent your password from being cracked this way – well, not for more than a few extra seconds.
5. Rainbow Table Attack
Rainbow tables aren’t as colorful as their name may imply but, for a hacker, your password could well be at the end of it. In the most straightforward way possible, you can boil a rainbow table down into a list of pre-computed hashes – the numerical value used when encrypting a password. This table contains hashes of all possible password combinations for any given hashing algorithm. Rainbow tables are attractive as it reduces the time needed to crack a password hash to simply just looking something up in a list.
However, rainbow tables are huge, unwieldy things. They require serious computing power to run and a table becomes useless if the hash it’s trying to find has been “salted” by the addition of random characters to its password ahead of hashing the algorithm.
There is talk of salted rainbow tables existing, but these would be so large as to be difficult to use in practice. They would likely only work with a predefined “random character” set and password strings below 12 characters as the size of the table would be prohibitive to even state-level hackers otherwise.
Savvy hackers have realized that many corporate passwords are made up of words that are connected to the business itself. Studying corporate literature, website sales material, and even the websites of competitors and listed customers can provide the ammunition to build a custom word list to use in a brute force attack.
Really savvy hackers have automated the process and let a spidering application, similar to the web crawlers employed by leading search engines to identify keywords, and then collect and collate the lists for them.
7. Offline Cracking
It’s easy to imagine that passwords are safe when the systems they protect lock out users after three or four wrong guesses, blocking automated guessing applications. Well, that would be true if it were not for the fact that most password hacking takes place offline, using a set of hashes in a password file that has been ‘obtained’ from a compromised system.
Often the target in question has been compromised via a hack on a third party, which then provides access to the system servers and those all-important user password hash files. The password cracker can then take as long as they need to try and crack the code without alerting the target system or individual user.
8. Brute Force Attack
Similar to the dictionary attack, the brute force attack comes with an added bonus for the hacker. Instead of simply using words, a brute force attack lets them detect non-dictionary words by working through all possible alpha-numeric combinations from aaa1 to zzz10.
It’s not quick, provided your password is over a handful of characters long, but it will uncover your password eventually. Brute force attacks can be shortened by throwing additional computing horsepower, in terms of both processing power – including harnessing the power of your video card GPU – and machine numbers, such as using distributed computing models like online bitcoin miners.
9. Shoulder Surfing
Another form of social engineering, shoulder surfing, just as it implies, entails peeking over a person’s shoulders while they’re entering credentials, passwords, etc. Although the concept is very low tech, you’d be surprised how many passwords and sensitive information is stolen this way, so remain aware of your surroundings when accessing bank accounts, etc. on the go.
The most confident of hackers will take the guise of a parcel courier, aircon service technician, or anything else that gets them access to an office building. Once they are in, the service personnel “uniform” provides a kind of free pass to wander around unhindered, and make note of passwords being entered by genuine members of staff. It also provides an excellent opportunity to eyeball all those post-it notes stuck to the front of LCD screens with logins scribbled upon them.
The password crackers’ best friend, of course, is the predictability of the user. Unless a truly random password has been created using software dedicated to the task, a user-generated ‘random’ password is unlikely to be anything of the sort.
Instead, thanks to our brains’ emotional attachment to things we like, the chances are those random passwords are based upon our interests, hobbies, pets, family, and so on. In fact, passwords tend to be based on all the things we like to chat about on social networks and even include in our profiles. Password crackers are very likely to look at this information and make a few – often correct – educated guesses when attempting to crack a consumer-level password without resorting to dictionary or brute force attacks.
Other Attacks to Beware Of
If hackers are lacking anything, it isn’t creativity. Using a variety of techniques and adapting to ever-changing security protocols, these interlopers continue to succeed.
For example, anyone on Social Media has likely seen the fun quizzes and templates asking you to talk about your first car, your favorite food, the number one song on your 14th birthday. While these games seem harmless and they’re certainly fun to post, they’re actually an open template for security questions and account access verification answers.
When setting up an account, perhaps try using answers that don’t actually pertain to you but, that you can easily remember. “What was your first car?” Instead of answering truthfully, put your dream car instead. Otherwise, simply don’t post any security answers online.
Another way to gain access is simply resetting your password. The best line of defense against an interloper resetting your password is using an email address that you check frequently and keeping your contact information updated. If available, always enable 2-factor authentication. Even if the hacker learns your password, they can’t access the account without a unique verification code.
Best Practices to Protect Yourself from Hackers
- Maintain strong and unique passwords for all of your accounts, there are password managers available.
- Don’t click on links or download files in emails arbitrarily, it’s best to not do it at all but activation emails prevent this.
- Check for and apply security updates periodically. Most work computers might not allow this, the system administrator will take care of these things.
- When using a new computer or drive, consider using encryption. You can encrypt a HDD/SSD with data on it, but it can take hours or days because of the extra information.
- Use the notion of least privilege, which means only give access to what’s needed. Basically, create user accounts that aren’t admins for casual computer use by you or friends and family.
Frequently Asked Questions
Why do I need a different password for every site?
You probably know that you shouldn’t give out your passwords and you shouldn’t download any content you’re not familiar with, but what about the accounts you sign into every day? Suppose you use the same password for your bank account that you use for an arbitrary account like Grammarly. If Grammarly is hacked, the user then has your banking password too (and possibly your email making it even easier to gain access to all of your financial resources).
What can I do to protect my accounts?
Using 2FA on any accounts that offer the feature, using unique passwords for each account, and using a mixture of letters and symbols is the best line of defense against hackers. As stated previously, there are a lot of different ways that hackers gain access to your accounts, so other things you need to make sure that you’re doing regularly is keeping your software and apps up-to-date (for security patches) and avoiding any downloads you aren’t familiar with.
What is the safest way to keep passwords?
Keeping up with several uniquely strange passwords can be incredibly difficult. Although it’s far better to go through the password reset process than it is to have your accounts compromised, it is time-consuming. To keep your passwords safe you can use a service like Last Pass or KeePass to save all of your account passwords.
You can also use a unique algorithm to keep your passwords while making them easier to remember. For example, PayPal could be something like hwpp+c832. Essentially, this password is the first letter of each break in the URL (https://www.paypal.com) with the last number in the birth year of everyone in your home (just as an example). When you go to log into your account, view the URL which will give you the first few letters of this password.
Add symbols to make your password even more difficult to hack but organize them so that they’re easier to remember. For example, the “+” symbol can be for any accounts related to entertainment while the “!” can be used for financial accounts.
Practicing Online Safety
In a global era when communications can take place across the world seemingly in an instant, it’s important to remember that not everyone has good intentions. Protect yourself online by actively managing and updating your passwords and social media information leak awareness. Sharing is caring, but not personal information for the sake of becoming an easy target for cyber criminals.
You will also be interested:
- Naruto characters painting
- Puma solingen knife
- Portable fridge compressor
- Lucky color for sagittarius 2021
- Drawers walmart
- Restore williamsburg