A Brief Guide to Hacking The Passwords

Most people think that having a password and user ID is enough security for their valuable information. The reality is that passwords can only do so much from a security standpoint. Malicious hackers are always finding new ways to crack passwords and gain access to systems and networks.

A user may assume that the password they are using is known only to them, but one can never be sure. Sometimes it is necessary to have another person having a password just for security reasons. However, most often a secondary party may be privy to a password without the owner being aware.

Passwords give people a false sense of security, and knowing a password never means that you are authorized to use it. Password vulnerabilities come in two classes:

Organizational/User Vulnerabilities

This class of vulnerabilities includes lack of any password policies or poor enforcement of existing policies. People tend to desire a convenient lifestyle where they do not have to cram or remember numerous different passwords. If the passwords become too many or are too complex, people tend to make some elementary mistakes, which give malicious hackers an easy time.

If you take into consideration the numbers 0 to 9 and the 26 letters of the alphabet, it is possible to create around three trillion password combinations, each with eight characters. Yet the majority of people tend to make passwords that are weak, just because they are easy to remember. Some of the passwords that most people choose to protect their data are downright silly. For example, password, 12345678, abcdefgh, or even no password whatsoever!

As a hacker, some of the things that make it easy to hack a person’s password include:

  • A password that is easy to guess.
  • A password that is rarely changed.
  • Use of the same passwords over and over again for different accounts and across multiple systems.
  • A password that is written down and stored in an unsecured place. This is especially true for passwords that are complex and hard to remember.

Technical Password Vulnerabilities

Once a hacker has been able to exploit the organizational vulnerabilities, they will then move on to taking advantage of the technical ones. For example:

  • Weak encryption schemes — Most software developers and vendors tend to put too much confidence in their products. They assume that passwords remain secure if the source codes of their encryption algorithms are a secret. This is simply not true. Any hacker who has patience and tenacity can quickly hack a password. Once the source code has been cracked, hackers tend to share it online, thus making it available to the public. There are also tools that can crack any weak encryptions, as long as your computer has adequate computing power.
  • Unsecured programs and databases that are used to store a cache of passwords.
  • Databases that are unencrypted and give access to a large group of people, some of whom don’t have the right to such information.
  • Applications that do not hide a password as the user is typing it on screen.

There are thousands of password vulnerabilities that a hacker can take advantage of. Go to the National Vulnerability Database to discover more vulnerability that can be exploited.

Technical Tools for Cracking Passwords

When it comes to cracking passwords, there is the traditional way and then there is the high-tech way. There are several very effective tools that hackers love to use to crack passwords. They include:

  • Brutus — for cracking logins for FTP, HTTP, and so on.
  • Cain and Abel — for cracking hashes, Windows and VNC passwords, and much more.
  • Elcomsoft System Recovery — for cracking or resetting Windows administrative rights and user passwords using a bootable CD.
  • Elcomsoft Distributed Password Recovery — For cracking Adobe, MS Office, Windows, iTunes, and other types of passwords using thousands of networked computers at the same time. It enables faster cracking by using GPU video acceleration tool.
  • Ophcrack — for cracking Windows passwords using rainbow tables.
  • John the Ripper — for cracking hashed Windows, and LINUX/UNIX passwords. This cracking program first adopts a dictionary style of attack, followed by an exhaustive brute force attack. It is one of the most popular password-cracking programs available.
  • Proactive Password Auditor — for running rainbow, dictionary, and brute force cracks against NTLM and LM password hashes.

These are just a few examples of some of the tools that hackers can use to crack passwords of all types and in different systems. It is important to understand how such password cracking programs work, and that would be very difficult unless you also understood how password encryption takes place.

Password encryption takes place when a password is stored in a system using a one-way hash or encryption algorithm. The hashed password then appears as a fixed-length encrypted string. In theory, all hashed passwords are supposed to be irreversible and thus untraceable.

Moreover, particular passwords like those used in LINUX are assigned a random value known as a Salt to generate some measure of randomness. This is what prevents two different people who use the same password from having the same hashing value for their passwords.

You may also read:

What a password-cracking tool does is it takes a group of passwords that are well known, runs them through a hashing algorithm, and generates encrypted hashes. These encrypted hashes are then compared to the original password hashes that are extracted from the database of the system being hacked.

This comparison takes place at a super-fast speed, and when the newly generated hash matches the original hash from the database, its game over. The password is considered cracked.

You may come across some passwords that are very strong, but sooner or later, the password-cracking utilities will crack it. The only way to keep out malicious hackers from a system is to know how to use the same tools they do to find weaknesses and fix them.

Salting

Salting is the process of adding pieces of information (the “salt”) to a password prior to hashing it. This makes the password harder to guess using a basic cracking algorithm since the password is no longer in form of plain simple words.

For example, a user may create a password out of the hundreds of thousands of English words in a dictionary. After encryption, a random 32-bit salt is added to the original password. This makes a hacker’s pre-calculated hashes totally useless.

A hacker will now have to calculate the hash for every word and also calculate the correct salt from 4,294,967,296 possibilities. A hacker will now have to contend with possible inputs of about 800 trillion hashes! Yes, the password that the user created may be simple, but the addition of salt can make hacking it way more difficult. It must still be noted that salting only hinders cracking utilities that rely on hashes.

If a cracking program relies on rapid input, such as brute-force or a dictionary attack, salting won’t be as effective.

Cracking Passwords

When it comes to cracking passwords using software, one of the first things you have to note is that passwords are never stored as plain text. This would be too easy a target and wouldn’t provide the necessary security. For this reason, a one-way hash function is applied. The most popular one-way function is based on DES and is known as crypt().

A salt value is normally added to the hash value in order to make the algorithm more complex, and thus more secure from hackers. Every hash value, including its salt value, is stored in a password file under the assumption that even if a hacker were to steal the file, they wouldn’t be able to understand the hashes.

When a genuine user wants to log into their account, they have to fill in their password. In order for their password to be authenticated, their password hash and the hash value previously stored on file must be matched.

During this authentication process, the original salt value is extracted from the file, appended to whatever the user has typed in, and the whole string is sent through the one-way hash function, If the user inputs the correct password, the hashing function will generate an output that matches what was stored in the password file. This entire process is done without having to store a password in plain text.

Methods of cracking passwords

There are a number of ways to crack passwords. Some of them are old-fashioned yet surprisingly still effective. Then there are more advanced techniques that involve the use of computer programs.

  1. Guessing

This may seem a bit old-school and ineffective, but you would be surprised at just how effective it may be. There may be hundreds of advanced techniques, algorithms, and programs that can crack a password, but there are times when the simplest solution is all you need. Guessing involves using logic and attempting to use commonly used passwords to hack a system.

The majority of users tend to view passwords as annoying and cumbersome. It is very difficult to remember different passwords for all your accounts/websites, so most simply opt for the low-hanging fruit. They choose passwords that are easy to remember and, therefore, easy to guess. Some of the most common passwords include:

The word “password” itself.

  • The user’s real name.
  • The person’s username/ID.
  • The name of a family member.
  • Favorite food, color, holiday location.
  • The name of pets.
  • Birth dates.

The guessing method can sometimes be faster and more effective if the hacker knows the victim very well, or can get access to a lot of their personal information.

Another thing to remember when hacking a password is that most people use one password for multiple accounts. Therefore, if you can correctly guess one password you will have a great chance of using it to access other accounts.

  1. Social Engineering

One of the most obvious ways to get a password is to simply ask for it. People can be very trusting at times depending on the situation that is presented to them.

A hacker can call a user, pretend to be from the IT department, and inform them that they have a problem with their email system. The hacker then requests the user’s password in order to log in and help them fix the problem.

This kind of password-cracking method is made easier by the fact that the majority of companies list their employees and their contact details on their websites. Social media can also be a great way to glean information about employees of a company.

  1. Shoulder Surfing

This may seem too easy, but looking over a person’s shoulder as they type in a password can also work as a hack. For this method to work, the hacker must blend into the environment and be very close to the intended target. It involves either looking at the screen as they log in or monitoring their keyboard strokes.

If it is someone whom you work with in the office, simply walk up to him or her, ask them to log into their email or network, and watch as they type their password. You have to be discreet about this so that you don’t raise suspicion.

In some cases, a user may look around their desk for something that reminds them of their password. This could be an object or a picture. A strategically placed camera can be used for shoulder surfing, especially in public places like coffee shops.

  1. Dictionary Attacks

This is a method of hacking where you use a program that contains a list of words and tries to run the list through the victim’s interface until the password is cracked.

We know that it is mathematically impossible for a hash to be reversed. However, it is very much possible to create a list of plain-text dictionary words, hash them, use a salt value for each hash, and then perform a comparison with the hash function of the user’s password. If there is a match, the dictionary word that was used has to be the password.

Rudimentary password-cracking tools use a dictionary containing a list of common words. Tools that are more advanced tend to incorporate symbols and numbers into their dictionary words, usually at the start or the end of words.

There are also some dictionary attack programs that are able to take a user’s personal profile and select the most relevant words to use to crack the password. These can include surnames and names of family members.

One of the biggest weaknesses of a dictionary attack is that the words that are used to populate the list are obtained from the user/victim. This is the only way the program will work. If the victim is poor at spelling, creates a password in a different language, or uses words that aren’t in the dictionary, the attack will fail.

Examples of programs that can be used to launch a dictionary attack include Cain and Abel, LOphtCrack, and John the Ripper.

  1. Brute Force Attacks

An exhaustive brute force password attack is considered to be a method that a hacker falls back on when all else fails. It is an inefficient method that involves systematically trying every single possible combination of words from a dictionary. Though it may work eventually, it simply takes too long. Your kids may grow up and get married before it finally works.

It is primarily used to crack short passwords of about 6 characters or less. Anything above 7 characters, even with advanced hardware, would not be feasible.

A brute force attack also assumes that the hacker knows the number of characters in the password, as well as the case-sensitivity. For example, if the password in question had 7 alphabetical and capitalized characters only, the program would have to make 8,031,810,176 (26’) attempts.

For a crypt ( )-style password that uses only 8 characters, a hacker would have to contend with 95° possible input characters. In other words, you would have to guess the correct password from a possible 7 quadrillion combinations.

The more characters that a user adds to their password, the greater the number of possible passwords a hacker has to deal with. The growth is exponential.

If you use a computer that makes 10, 000 cracks every second, it would take you 22,875 years. Even if you were to get about 1000 computers to help you out, it would still take you an average of 22 years to crack the password.

On the other hand, if the possible passwords grow exponentially with every character that is added, then the opposite is also true. Reducing the number of characters from a password slashes the possible passwords exponentially.

You may also read:

For example, if you want to brute force a password with four characters only, and assuming you have a machine that performs 10,000 cracks per second, it would take you about two hours to do so. The password does not even have to comprise dictionary words, for example, g5T&. It will still be cracked very quickly.

One advantage of the brute force attack technique is that it ultimately will crack the password, regardless of how complex it is. The problem as said before, is that nobody can predict how long this will take.

Examples of cracking programs that apply the brute force method include Oracle, Rarcrack, and John the Ripper.

  1. Rainbow Tables

This mode of attack is pre-computed, unlike dictionary and brute force methods where a hacker has to enter a password into the user’s system and then compare it to the original password. When using rainbow tables, hashes are first computed for every word in a dictionary and are then stored in a hash table. The rainbow tables then retrieve the user’s hashed password from the system and compare it to the list of passwords in the hash table.

There are some assumptions that have to be made, namely that the hacker can retrieve the user’s hashed password, and that the algorithm used to hash the password is the same as the one used in the rainbow table. However, most low-security hashes tend to use SHA-1 and MD5, so use these algorithms for your rainbow tables.

The downside with this method is that the tables require a huge storage space on your hard drive. It is clear that different plaintext passwords will result in different hashed passwords containing different salts. This means that every salt would need its own table.

If a DES crypt ( ) function is being used, the number of salt values would be 4,096, thus making rainbow tables not feasible even with a 4-character password. This is no longer a big problem since memory is much cheaper nowadays, but the need for large storage space tends to discourage this method of cracking.

Examples of some programs that apply rainbow tables include Rainbow Crack and OphCrack.

  1. Password Probability Matrix

In technological circles, it is accepted that there will always be a trade-off between storage space and computational power. For example, mp3 files require very little storage space for the high-quality music file, but that simply increases the need for greater computational power.

Your regular calculator, on the other hand, requires very little computational power because it contains a pre-computed lookup table that stores functions.

A password probability matrix works by trying to find the perfect balance between power and space, in order to reduce the time that a brute force attack would take to crack a password. In other words, the time and the storage space required must be reasonable.

Unfortunately, you will still have to deal with salts. However, this problem can be mitigated by minimizing the amount of storage space required without compromising the space needed for the 4,096 possible salts in crypt () password hashes.

This method involves building a 3-D binary matrix that links portions of the plaintext values with portions of the hash values.

The downside to using a probability matrix is that it takes a very long time to create the matrix itself. In fact, this would take as much time as running a brute force attack. The salts would also still pose a problem for a hacker. How to use John the Ripper and pwdump3 to crack a password

John the Ripper is used when cracking hashed Windows and LINUX passwords, while pwdump3 is used to extract hashed passwords from a Security Accounts Manager database. It should be noted that you will require administrative access to make this work.

Password Policies

Ethical hackers who are hired to strengthen an organization’s information security must emphasize the importance of establishing stringent password policies.

This can be achieved by showing users methods of generating secure passwords. People tend to make passwords using single words, for example, monkey. However, a more secure strategy would be to use phrases, for example, bigredmonkey.

Another way is to show users the effects of sharing passwords with others or creating weak passwords. If people can literally see and understand what can happen after a hacker cracks their password, they will take the issue of password security more seriously. Finally, users must be made aware of social engineering attacks and how they take place.

These three tips can be enlarged to create an organizational password policy that will provide adequate information security. During this process, there are certain criteria that must be enforced:

  • Use of a combination of lower- and uppercase letters, numbers, symbols, and otherspecial characters. It is never a wise decision to use only letters or numbers alone. This makes it very easy for a malicious hacker.
  • Use misspelled words or acronyms.
  • Use punctuation marks to split words.
  • Keep changing passwords every six to 12 months. In case of a security breach, all passwords must be changed immediately.
  • Make sure that every account you have has its own unique password, especially for servers, routers, and firewalls. Using similar passwords isn’t wrong. What you have to do is slightly tweak one password for the different systems that you use. For example, use WindinTheWillows-76 for one account or system, and Yahoo89+ WindInTheWillows.
  • Vary your password lengths. Using passwords of variable length will make life difficult for hackers because they will be forced to attempt all password length combinations.
  • Avoid the use of colloquial or slang, as well as any dictionary words.
  • When you change your passwords, do not reuse the same old passwords you used in any of the previous five changes.
  • Avoid sharing passwords with other people. Most people tend to give out passwords to colleagues or friends who ask to use their computer. Do not reveal the password at any cost.
  • Apply a password to screensavers. An encrypted hard drive with an unlocked screen is a vulnerability that hackers can take advantage of.
  • Do not store passwords in an MS Office file that is unprotected. Always use a password manager program. There are also some more advanced ways to prevent passwords from being cracked:
  • Set up security auditing for monitoring password attacks.
  • Use advanced software like WinHex to check whether your system is saving passwords permanently in its memory.
  • Ensure that the systems being used are patched.
  • As an administrator, you should enable the account lockout feature that locks users out of the system if a password is entered incorrectly for a specific number of tries. If it is a genuine user who forgot their password, then they will have to inform the security administrator.
  • Establish stronger authentication measures like biometric, smart cards, or digital certificates.

Leave a Reply