Password Cracking 101
Cracking passwords is both easier and more complex than most people think. In this post, I’ll be going over password cracking at a very basic (and hopefully easily understandable) level, to hopefully make our previous posts on password security more clear.
First off, what does it mean to “crack” a password? Any website, computer, system, etc. that is even doing the bare minimum in terms of security will never store a password in plaintext (meaning, unencrypted). What they will do is use a mathematical process called “hashing”, which turns the password into a seemingly random string. The reason why this works is because it is, in fact, not random. The password, if sent through the same algorithm, will appear as the same hash every time. For example, if we take our password from the previous password post, “AD@rkc3llard00r”, and put it through the common hash algorithm SHA1, this is the result:
183e0865013c7c0907f5dcc450d476cc01dc59a9
Now, if we change even one letter, lets say just the first capital A to a lower case A (aD@rkc3llard00r), we get this:
f45c863226ade8b5fb4b44bfb4939ceb7a3016b1
Not even close, right? That’s the whole idea. As I said previously, password cracking doesn’t work like they show in movies where you figure out the first character, then the next, and so on, until the whole password is revealed. You have to match the entire password exactly in order for the “crack” to work. For a great, quick video that explains hashing a bit more and why websites like Facebook or Google don’t know what your password is, check out this YouTube video by computerphile: https://youtu.be/yoMOAIzBSpY
The good thing for hackers, and bad thing for many users, is that users typically don’t have very complex passwords. The top most common passwords, according to research done by a user called bezerk0, are pretty awful:
- 123456
- password
- 12345678
- 123456789
- 123123
- 12345
- 1234567
- 111111
- qwerty
- computer
In fact, berzerk0 compiled an amazingly extensive listing of not only commonly used passwords, but passwords sorted by probability. One of his lists, for example, are the top 2 billion passwords that have appeared in various data breaches over the last years that have all appeared at least twice. You can check out his work at his GitHub page: https://github.com/berzerk0/Probable-Wordlists
Hackers and researchers alike will use wordlists like this in what’s known as a “dictionary attack”, where a program will go through every line in these lists and generate the hash of that word, and compares it to the hash of the password they’re trying to crack. If the hash matches, then you know you have the right password. But what if you don’t have a wordlist, or the dictionary attack didn’t work? Then you can do what’s called a “bruteforce attack”. Bruteforce attacks are slower because it’s literally going through the entire keyspace, one character at a time. For example, if you tell the program to start with 7 characters, it will start with “aaaaaaa”, then go to “aaaaaab”, then “aaaaaac”, and so on, until it tries every possible combination of characters (letters, numbers, and symbols) in a 7 character string. Then it will move on to 8 characters and do the same. Then 9, and so on. It may be slower, but it’s not as slow as you’d think.
Using a higher end graphics card that you’d find in a gaming PC, like a NVIDIA GTX 1080, you can go through the entire keyspace for an 8 character password in a common hash like SHA1 in well under an hour. Now consider that many researchers and attackers have computers that have 4 or more NVIDIA GTX 1080s, all working in parallel, and that reduces the time to seconds. Some people or groups even have sysems with 8 of these high-end cards, and setups like this are more common than you may think. In fact, you can get your hands on one for a mere $21,169 (https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/). Graphics cards, or GPUs, are insanely good at math; that’s their whole job, after all. They aren’t encumbered by having to do other tasks, like the main CPU is. It can focus all of its processing power on just that.
Any time there’s a large data breach that contains passwords, all of those hashes are fed into computers like this and the cracking begins. Passwords like “password”, “Giants87”, “letmein”, or “Superman90” are cracked basically instantly. More complex passwords take a little longer, but not much. Once you get into really long passphrases of 20 or more characters, cracking really slows down significantly. In most cases, the hackers have moved on and started to pick off easier targets, and honestly that’s the whole idea. If your passwords take much longer to crack, the attacker will either move on entirely or it will take them long enough that you have a chance to change your password. That’s why length, not complexity, is the most important factor in creating passwords. Adding complexity to it, if you’re still able to remember it, is more just icing on the cake. It’ll help, but if you have a 25+ character passphrase, you’ve already won the battle.