Password Cracking

A password cracking attack is the process of obtaining the correct password to an account in an unauthorised way.

Password attackers use various techniques to crack passwords, including the use of records obtained from data breaches. You can check if your email address appears on a list of compromised accounts using this tool.

Why people crack passwords

There are many reasons why attackers want to crack passwords. First, they try to obtain access to restricted data and systems, get a foothold in companies’ networks, or just seize control of an account and use it for their purposes.

How long does it take to crack a password?

The time it takes to crack a password depends on its length and whether it uses a combination of upper-case and lower-case letters, numbers, and symbols. An eight-character password with only lower-case letters takes only five seconds to crack, whereas a password of the same length using upper and lower-case letters, numbers and symbols would take eight hours to break. Adding an extra two characters for a ten-character password would extend this to five years to crack by brute force.

What is password strength?

Put simply, password strength is the measure of a password’s efficiency in resisting password-cracking tactics. Password strength is determined by:

• Length: The number of characters the password contains.
• Complexity: Does your password use a combination of letters, numbers, and symbols?
• Unpredictability: Is the password something that can be guessed easily by an attacker?

Two primary forms of password cracking

One of the most common types of password attacks are:

Brute force

Brute force attacks involve an attacker submitting many possible passwords to test them with the hope of eventually guessing correctly and cracking this password. Brute force attacks very often use a list of commonly used passwords and automation software or bots.

Dictionary attacks

A dictionary attack is when an attacker uses a list of words pulled from sources such as dictionaries, thesauruses, and newspapers to crack passwords, which can often be highly effective as people generally use real words so their password is memorable to them.

Password guessing vs password cracking

Password guessing is the process of entering a password manually by the user to see if it is correct, whereas password cracking involves using programs or software to try several combinations of possible passwords at once.

How password-cracking programs work

Password cracking programs work by using various methods to process and analyze large numbers of password hashes. A hash is a transformation of an input string into a smaller fixed-length output string; it is like fingerprints used for identification purposes.

If the original password can be determined then other passwords with similar characteristics can be cracked too. For example, if one knows how 7% of users create their password then that knowledge can be extrapolated to create cracking dictionaries for all the other 3,700 characters (upper- and lowercase letters, numbers, symbols) to make up 93% of possible passwords.

Post-cracking activities

Once a password has been successfully cracked there are sometimes follow-up attacks to perform certain tasks: privilege escalation, installing backdoors, data exfiltration, etc.

Rainbow attack

A rainbow attack is a type of password cracking that uses different words from the original password to generate all other possible passwords.

Rainbow table attack

A rainbow table attack is an additional method that can be used to crack passwords. Rainbow tables exploit the fact that password hashes are not secure when it comes to protecting against cracking attacks by storing pre-calculated values of encrypted hashes for each possible word in a large database, which makes it easy to check whether the hash value has been cracked or not when a certain word is identified as the actual password. In essence, this mechanism performs many of its calculations before even accessing the storage where all those values are stored.

Today’s computers and multi-core processors allow much more efficient processing of lists of words and the possibility to exploit their weaknesses through additional methods such as rainbow tables. Rainbow table attacks can crack hashes that are much longer and more complex than wordlists.

Other types of password cracking

There are a few other password-cracking tactics, and these include:

Guessing: Passwords like ‘qwerty’ and ‘password’ are commonly used or set as default passwords and these can be easily guessed.

Spidering: Most organizations use passwords that contain company information, for example. Specifically, spidering gathers information from sources and comes up with a list of likely words used within these passwords.

Password cracking tools

John the Ripper

John the Ripper uses the command prompt to crack passwords and it specifically uses a wordlist to crack passwords.

Cain & Abel

Cain & Abel runs on Windows and recovers passwords for user accounts, recovery of Microsoft Access passwords; and networking sniffing interface.

Ophcrack

Ophcrack is a cross-platform Windows password cracker that uses rainbow tables to crack passwords.

Frequently asked questions about password cracking

What password is most commonly used? Password1, 123456, and Qwerty. Those are the three most common passwords.

How do I make my password harder to crack? First, don’t use any words found in an English dictionary or any variation of them. The typical word combinations (“pizza99”, “qwertyuiop”, “dragonf1sh”) can be cracked easily and fast since computers know these words well – even when misspelled. If you combine two random names, numbers and special characters (e.g., &#*@) that are not found together in any word or proper name, your password will be very hard to guess or crack even with a big dictionary of common passwords.

What is the best way to create strong passwords? You should come up with several seemingly unrelated words for each site: these words can be similar but cannot be identical – in other words, they need to have at least one letter different from another one. The purpose of a good password is to string together several seemingly independent parts so there’s no logical relationship between them – so the password is difficult to guess or crack even with a big dictionary.

Best practice is to use a password manager to generate and store strong, unique passwords. You should also ensure you never reuse the same password across multiple services, as this exposes your accounts to credential stuffing attacks, making your other accounts vulnerable if one service suffers a data leak.

Read more on how to create strong passwords here