An introduction to password security: How to crack a password

Have you ever thought about how and why passwords are cracked? This article introduces password cracking, focusing on common strategies and tools used by security professionals and malicious users. We also discuss the composition of secure passwords, and why certain approaches are more effective than others.

Cracking passwords can be done very easily in certain situations. The time taken and likelihood to successfully crack a password often depends on the password strength. In many cases, people use common passwords and techniques to generate them. Common passwords can be adjusted with slight variations to meet enforced complexity requirements, and often provide a false perception of the password’s resilience to attack.

Depending on the target, password cracking will typically follow one of two approaches; offline or online. The following sections take a dive into each of these password cracking methodologies.

Online Password Cracking

An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when a malicious actor lacks direct access to the target system or application and aims to gain an initial foothold.

The first step in conducting online password attacks involves establishing as many active user accounts as possible. Without knowledge of active user accounts, online password cracking becomes significantly more challenging.  Additionally, guessing both a correct username and password combination exponentially increases the possible valid combinations. With this in mind, there are some common methods for obtaining valid usernames, for example:

• Using online public information, such as email addresses on the company or social media websites
• Using unintended online public information, such as breach database dumps (which may also disclose user passwords!)
• Product documentation or internet resources (such as forums) for default user accounts – many services have a default “admin” user or similar.
• Search for user enumeration vulnerabilities in the application, service or environment you are targeting. The OWASP Testing Guide is a great resource for finding account enumeration vulnerabilities and guessable users.

Armed with a list of valid usernames, we can look at an example of an online password cracking process against a common management interface, Secure Shell (SSH). In this example, we target the default administrative user account, “root”.

We start the process with confirming that the SSH service is accessible on the target. For this, we use a port scanning tool, NMAP, to confirm that TCP port 22 is open:

 

From the NMAP output we can see that the SSH port is showing as open (State: OPEN). We can now perform an online brute-force attack against the SSH service. For this, we will use Hydra, a popular password cracking utility, that supports many protocols, including SSH. We can use Hydra to launch a dictionary attack, where it will attempt to log into the SSH service using passwords from a list. The following output shows the Hydra tool in action, attempting all of the passwords from the rockyou-15.txt list against the root user:

 

Hydra successfully identified a valid username (root) and password (123abc).

Whilst this example was successful, there are several disadvantages to performing online password attacks. The speed at which they run depends on the strength of our internet connection, for example a high network latency can mean long delays between data crossing a network and therefore a slower cracking speed. Even a fast connection will be comparatively slow against an offline password attack.

An online attack is likely to be noticed in an environment with mature security controls. The large number of authentication failures (caused by trying incorrect username and password combinations during the cracking process) may provide indication of an attack if the service, network or system is well configured with a security monitoring solution. Furthermore, there are a range of common security mechanisms that may significantly reduce the likelihood of a successful online password attack, such as:

Account lockout – When an incorrect authentication attempt is made, the user account can be locked if a threshold (such as five failed login attempts) is reached. The user then may have to contact an administrator to regain access or wait a defined period of time before attempting to authenticate again. This protection feature will significantly limit the opportunity for a successful online password attack.

Rate Limiting – This reduces the number of authentication attempts that can be made within a given timeframe by dropping network requests after a threshold has been reached.

Multi-Factor Authentication (MFA) – Where a user is required to use two or more factors to verify their authentication. The principal of MFA is that a user requires two out of the following three factors to authenticate successfully:

• Something you know (often a password)
• Something you are (such as biometrics)
• Something you have (such as a hardware/software token)

In addition to username and password dictionary attacks, many systems and services provide default credentials that are intended to be used during the initial configuration. It is crucial to change these default credentials and disable generic account such as “admin”. Penetration testers and malicious users will often try default credentials when attempting to compromise a system. There are many public databases and resources that exist for discovering default credentials used in popular systems and software.

Offline Password Cracking

Offline attacks are carried out when password hashes have been recovered, typically after an initial breach has occurred. A malicious user will take the hashes offline to crack, avoiding many of the restrictive mechanisms (such as account lockout) that are present with online password cracking.

The hashing of a password is a conversion using an algorithm, to create an unreadable string of characters. This process is designed to be a one-way function and irreversible.

Here is an example of hashing a password. The word ‘password’ will be hashed using the SHA512-crypt algorithm, resulting in the following hash being generated:

 

Access to password hashes can be gained in various ways. Password hashes for user accounts within a web application are often stored in databases. If the database is compromised (perhaps due to a vulnerability within the web application), it is often possible to extract the hashes of the user accounts.

Within Windows domain environments, the Active Directory data (including domain usernames and password hashes) is stored in a database file (NTDS.dit). Similarly, the SAM (Security Account Manager) registry hive is a database file in Windows that stores local user password hashes.

Here is how a malicious user may use extracted password hashes to obtain valid user credentials. In this example we use NTLM hashes that have been recovered from a Windows system. The following output shows the results from a common credential gathering tool, Mimikatz, where we can see the username (charlotte) and the NTLM password hash identified:

 

The following output shows Hashcat at work, solving the NTLM hash to an 8-character alphanumeric password in less than three minutes:

 

While this password cracking exercise relies on brute force, there exist multiple techniques that can be employed to crack passwords offline.

Approaches to offline password cracking

Dictionary attacks – This process involves utilising wordlists that contain commonly used and leaked passwords from previous breaches. These wordlists are then used with a hash cracking tool like Hashcat. Hashcat sequentially selects a word from the wordlist, hashes it using the same algorithm, and compares the result to the target hash. This continues until a match is found or the end of the wordlist is reached.

It is possible to further customize a wordlists to suit specific targets. For example, if targeting a particular individual’s account, we can gather information about them using open-source intelligence (OSINT), such as reviewing their social media profiles to understand their interests and personal life. This information can be used in the wordlist, including family names, pets, hobbies or anything else meaningful to the target.

Similarly, when targeting organisations or businesses, it’s important to conduct thorough research. During most password security audits, our experience shows us that a large percentage of users will include something related to the company as part of their password.

Brute Force Attacks – A brute force attack systematically tries every possible combination of characters to crack a password. In theory, any password can be cracked given sufficient time and computational power using this method. Determining the minimum and maximum password length can help optimize the cracking process by excluding excessively short or long passwords. Additionally, providing information about enforced complexity in password policies can significantly reduce the time required to crack passwords.

Rainbow Table Attacks – A rainbow table is a precompiled table used for caching the outputs of a cryptographic hash function. Utilizing rainbow tables in password cracking can accelerate the process since the password cracking tool doesn’t need to compute the hash of the word itself, it’s already precomputed. Nevertheless, rainbow tables require significant storage space, which can be a major limitation once populating rainbow tables to defeat complex passwords (12 chars plus with mixed character sets). In a rainbow table attack, the compromised hash is compared to a rainbow table, and if a match is found, the tool will output the clear text password.

Strengths and weaknesses of common algorithms

There exists a variety of hashing algorithms with differing levels of strength.  Among these, MD5 is widely recognized as a weak hash due to its documented vulnerabilities and lack of cryptographic security.  In contrast, SHA-512 remains highly regarded for its robustness. However, challenges persist in hashing cryptography, including the occurrence of hash collisions. Hash collisions arise when identical hashes are generated from different input data, though the probability of such collisions is minimal. Weaker algorithms (such as MD5 and SHA-1) have demonstrated vulnerabilities in this area.

Older Windows systems utilized the Lan Manager algorithm (LM), which employs a notably weak hashing method. The LM algorithm imposes restrictions such as a maximum password length of 14 characters, conversion of all passwords to uppercase, and the splitting of 14-character passwords into two halves for separate hashing. Notably, if the password is 7 characters or less, the second half will consistently produce the same value.

Computational power

The speed of offline password cracking depends on hardware. Cracking tools can be run on your CPU (Central Processing Unit), however the speed is limited to the cores available.

Alternatively, certain tools like Hashcat allow you to harness the power of your GPU (Graphics Processing Unit). The GPU architecture uses many smaller cores, which are capable of operating in parallel to complete high volumes of concurrent, simple calculations. This is much better suited to password cracking when compared to a CPU, which is better at faster, more complex workloads. Malicious actors can invest in many high-powered GPU’s to run concurrently, providing a substantial amount of computational power with which to perform offline attacks.

Password complexity

Password complexity is widely used to ensure the use of passwords that are resistant to online and offline attacks. The stronger the password, the harder it is to crack. These requirements can vary, however complex passwords are often thought to consist of:

• Uppercase letters
• Lowercase letters
• Digits (0-9)
• Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/)
• Sufficient length of at least 12 characters

It is common for users to select a base word, such as ‘donkey’, and to apply complexity in order to meet complexity requirements. For example, to meet the password complexity requirements above, a user might configure their password to ‘Donkey1!’.

Password policies are often enforced, requesting a user to change their password on a regular basis. Unless the administrator sets specific complexity rules, sequential passwords will often be used. For example, ‘Donkey1!’ will become ‘Donkey2!’.

Alongside a wordlist, rules can be configured to augment dictionary words during password cracking. As discussed in the previous section, there are many ways to augment a base word in order to meet password complexity requirements, for example:

• hospital
• Hospital
• hospitaL
• HoSpItAl
• Hospital.
• Hospital!
• Hospital123
• Hospital123.!
• H0sp1t4l123.!

If we look at the last augmentation, “H0sp1t4l123.!”, this would meet most complexity requirements. However, password cracking tools would successfully crack this value using a dictionary attack with rulesets.

How Secure is Your Password?

In the digital age, social media serves as a treasure trove of information, often revealing more than intended. While privacy settings may shield personal profiles, indirect access through family and friends remains a common technique for information gathering. A profile picture or ‘About Me’ page can yield a wealth of details, laying the groundwork for password exploitation.

Consider the ramifications: partner and family information, attended schools, even details about beloved pets—all potentially used as security questions or passwords. Even with stringent privacy controls, the risk persists, underscoring the importance of robust password practices.

In certain circumstances, the need to crack a password may be avoided by locking the account and initiating recovery. When setting up an account, users often encounter prompts to establish secret questions and answers.  However, if these questions are based on easily accessible personal information, they may provide a gateway for malicious actors.

When crafting passwords, you should aim to make it as long as possible – 20 characters or so. Use three or more base words to make a “passphrase” rather than a “password”. Don’t use words you can see from your workstation, such as “chair” or “desk”, or any words that others may closely associate with you. Then you can start with adding complexity by incorporating symbols and numbers where they are needed. Avoid using full stop and exclamation marks, these are the most common. Finally, try to avoid using sequences of numbers – 123, 321, 987.

Passwords play a large role in keeping our data secure. A breach can spell the end of a company if it is serious enough. We have the resources and tools available to increase our security by protecting our accounts, however this is becoming increasingly difficult with an ever increasing number of online services to keep track of. Password Managers can help you securely store all of your credentials, and many will help you generate complex passwords to further increase the security of yours accounts.

Hopefully we have helped you to build an advanced understanding of password attacks and common countermeasures, which may help you to choose strong passwords and implement better password controls in future. For businesses who need more guidance on password security, get in touch to find out how we can help.