When you log in to your computer, you must enter two pieces of information: username and password. Together, these two pieces of information authenticate you. Your username tells the computer who you are, and your password proves to the computer who you are – because only you would know the password.
In order for the computer to know that you entered the correct password, it has to compare it to something – a stored copy of your password. However, simply storing your password on your hard drive or in memory would be a dangerous thing; any user or program could potentially read it and steal it. Therefore, passwords are usually not stored in plaintext; rather, a password is hashed and its hash is stored on a hard drive or in memory.
A hash is the output of a one-way cryptographic algorithm where an input of ‘A’ always yields an output of ‘B’. When you enter a password, it is hashed and the newly generated hash is compared to the stored hash. If it matches, you can be authenticated.
Many types of hashing algorithms exist; some of the more common ones are MD5, SHA1, SHA256, and SHA512.
Here’s an example of a SHA1 hash and the corresponding password:70ccd9007338d6d81dd3b6271621b9cf9a97ea00:Password1
All hashes of a given type are the same length. For example:
70ccd9007338d6d81dd3b6271621b9cf9a97ea00:Password1
77c3b049c875bf848328939583f2ad29cb5c01a4:wateva
31ad300bdae5e974505fe38472fe855853b79201:martin1
ef1a87d6fc7d9be2b651634de76ebcc46a74a8b8:kingston
fa4a9554600ca3da6732aa82e6fa0c9abe8a27ae:dustin1
f90ecb2cdd602cfe77ff30f39182a9fbebbd61b4:stefanie
ef65de1c7be0aa837fe7b25ba9a7739905af6a55:herbert
99ecb3e5e3396fdf87b5faa63880195b355e6cf5:felicity
fefe6ebb4ff26e9729b6363069f200ad17c2ca84:dracula
c9be014f81aeb389b4616f87ace64399a7381a3e:basket
a812ce795d364414bdede8f17e50cd33a7190f8c:sunset
515dd919689cf68643e573f27d47aef3897e66a3:hummer
Because a hash is generated from a one-way algorithm, it’s technically impossible to “unencrypt” it. You cannot derive a password simply by running its hash through the hashing algorithm in reverse. In order to determine what the password is of a given hash, you must hash something and see if the output is the same as the hash of the password that you are attempting to crack. Chances of any given input yielding the desired hash are incredibly small (and vary depending on the hashing algorithm).
Password Cracking Methods
Several methods of password cracking exist. These include:
- Brute Force
- Mask Attack
- Dictionary Attack
- Hybrid Attack
- Rainbow Tables
Brute Force
A brute force attack is the surest way to crack any password. However, by the time it succeeds, the universe may have come to an end.
This attack starts with the specified length(s) of characters and iterates through every possible combination, i.e.,
aaa
aab
aac
…
zzx
zzy
zzz
Passwords up to 8 characters in length could be cracked in a day. Much longer than this, however, and the time to crack quickly grows from weeks to millions of years.
Mask Attack
A mask attack is a more targeted version of a brute force attack. With a mask attack, you can specify that you only want to try certain types of characters in certain positions. For example, the most common order in which characters appear in commonly used passwords is as follows: Uppercase, Lowercase, Digits, and Special Characters; i.e., “Password1!”. Using this knowledge of how humans create passwords, longer passwords can sometimes be cracked using this more targeted approach.
Dictionary Attack
A dictionary attack hashes each word in a pre-defined word list to see if the resulting hash matches the hash of the password to be cracked. While dictionary words are sometimes used as passwords, a “dictionary attack” is not limited to dictionary words. Often, lists of leaked passwords are used to crack an unknown password, thinking that if one person used a particular password, someone else probably thought of it as well. This type of attack is typically the fastest; a wordlist of several million words can be processed in seconds.
Hybrid Attack
A hybrid attack combines a traditional dictionary attack with a brute force or hybrid attack. Each word in the word list will have additional characters prepended or appended to it before it is hashed. For example, “baseball” may become “@baseball” or “baseball2”. This is advantageous because it simply modifies known patterns from a wordlist, thus increasing the odds of a successful crack over pure brute force or dictionary attacks. This type of attack is typically faster than brute force but slower than a dictionary attack, as multiple variations of each word must be attempted.
Rainbow Tables
Rainbow table attacks use databases of precomputed hashes to accelerate the cracking process. While this type of attack can be much faster than brute force, this comes at a cost of storage space. A rainbow table may be many gigabytes or even several terabytes in size.
Tools that perform rainbow table attacks include Ophcrack and Rainbow Crack.
Practice
If you want to practice password cracking, you’ll need two things: Tools and Hashes.
Tools:
Hashes: