Password cracking is the process of recovering the plaintext password from a cryptographic hash or encrypted password, often through the use of tools such as Hashcat, John the Ripper, or rainbow tables. Penetration testers often use password cracking techniques during security assessments to perform privilege escalation or lateral movement.
Common Password Cracking Techniques
- Brute Force Attack: This method involves trying every possible combination of characters until the correct password is found. Whilst this can be effective, it can be time-consuming and computationally expensive, especially for longer or more complex passwords.
- Dictionary Attack: This technique uses a pre-defined list of common passwords or phrases to attempt to crack the password. This method is often faster than brute force attacks, but it relies on the password being present in the dictionary.
- Rainbow Table Attack: This method uses pre-computed tables of hash values for common passwords. By comparing the hash of the target password to the values in the rainbow table, an attacker can quickly determine the plaintext password. However, this method is less effective against passwords that use strong hashing algorithms or salting techniques.
- Hybrid Attack: Also referred to as a mutation attack, this technique combines elements of both brute force and dictionary attacks. It may involve using a dictionary of common passwords and then applying variations, such as adding numbers or special characters, to increase the chances of success.
Cracking a Password
When a password is created it is typically stored in a non-reversible format (i.e. a cryptographic hash) rather than in plain text or an encrypted (reversible) format. There is usually no genuine reason for a system or application to have access to the original plaintext password, and instead it only needs to verify that the user has entered the correct password via comparison operations.
What this means is that when a user attempts to log in, they provide their password (along with other authentication credentials) to the system, which would then hash the provided password using the same hashing algorithm and compare it to the stored hash. If the hashes match, the user is authenticated.
If a malicious actor is able to obtain a hashed password (for example, via a data breach or by gaining access to a system), they can attempt to crack the password by using one of the techniques mentioned above. By generating hashes for different combinations of characters and comparing them to the stolen hash, they can eventually determine the original plaintext password.
How Password Cracking Works
Take the password WeakPassword1 as an example: When converted to a hash with the MD5 algorithm, this becomes the string 4b40b5569f818451f0b8d4c028ab7cc6.
An attacker may have a list of common words and phrases where they have ‘weak’ and ‘password’ in the list. With the dictionary attack, if the password was simply password, it would be found immediately. The attacker would then know the plaintext password and be able to use it to gain access to the account (assuming no other controls are in place).
However, with the hybrid attack the attacker may try various combinations of these words by combining the dictionary words together and mutating them with prefixes and suffixes to generate passwords such as WeakPassword, WeakPassword!, or WeakPassword1. By generating the corresponding hashes for each combination and comparing them to the stolen hash, the attacker would eventually find a match with WeakPassword1 and be able to determine the original plaintext password.
Modern password cracking tools, such as Hashcat, can leverage the power of GPUs to perform millions of hash generations per second. Because of this, rule-based attacks (i.e. hybrid attacks) are often the most effective way to crack passwords. These ‘rules’ can be tailored or customised to suit the target environment, for example by including common phrases or patterns that are relevant to the organisation or user base.
Brute-force attacks can involve attempted comparisons of a plaintext “guess” against the hash. An example here is if a brute-force cracking attempt were to use only alphanumeric characters for an 8 character password, then the password cracking tool might start with aaaaaaaa, then aaaaaaab, and so on - incrementing the string until the pool of available characters and combinations run out or the matching password is found.
Hash Collision
In some cases (usually with older or weaker hashing algorithms) it may be possible to identify multiple plaintext passwords that can generate the same hash value. This is known as a hash collision. In reality this is not a very common occurrence, but there are known examples of a hash collision being found for the MD5 hashing algorithm with file hashes (i.e. two different files generating the same MD5 hash).
Depending upon how (for example) a web application performs password comparison, it may be possible for an attacker to use a different password that generates the same hash value to gain access to an account.
Mitigating Password Cracking Risks
Strong Password Policies and Multi-Factor Authentication
To mitigate the risks associated with password cracking, organisations should implement strong password policies that require users to create complex passwords that are difficult to guess. This may include requirements for minimum length, a mix of character types (uppercase, lowercase, numbers, special characters).
However, the more modern NIST guidelines recommend against regular password changes unless there is evidence of compromise, as this can lead to weaker passwords due to user fatigue and predictable patterns (e.g., it is very common for users to simply increment a number at the end of their password when forced to change it). The requirement for strict complexity is also relaxed, instead recommending the use of longer passphrases that are easier for users to remember but still provide strong security.
Additionally, organisations should consider implementing multi-factor authentication (MFA) to provide an additional layer of security beyond just passwords. MFA requires users to provide two or more forms of identification, such as a password and a fingerprint or a one-time code sent to their mobile device. Though, SMS based MFA has its own weaknesses that can use out-of-band social engineering attacks to obtain access via a SIM swap, for example.
Salting and Hashing Passwords
Organisations should also ensure that passwords are stored securely using strong hashing algorithms and salting techniques. Salting involves adding a random value to the password before hashing it, which makes it more difficult for attackers to use pre-computed tables or rainbow tables to crack the password.
Legacy hashing algorithms such as MD5 and SHA1 are no longer considered secure, and organisations should instead use stronger algorithms such as bcrypt, Argon2, or PBKDF2, which are designed to be slow and computationally expensive, making them more resistant to brute force attacks. As an example, the time taken to brute force a bcrypt hash with a cost factor of 12 is significantly higher than that of an MD5 hash, making it much more difficult for attackers to crack the password.
Regular Security Audits and User Education
Regular security audits and penetration tests can help identify vulnerabilities in an organisation’s password policies and storage practices. Additionally, educating users on the importance of strong passwords and the risks associated with password reuse can help reduce the likelihood of successful password cracking attacks.
Crucially, users should be encouraged to use unique passwords for each of their accounts, as password reuse can lead to credential stuffing attacks, where attackers use stolen username and password combinations from one site to gain access to other sites. Password managers can help users generate and store strong, unique passwords for each of their accounts, reducing the risk of password reuse and can aid in the creation of more complex passwords.
Contact our team today to learn more about our password auditing and cracking services. Secure your organisation by identifying weak passwords before attackers do.Want to perform a Password Audit?
Password Cracking in the Wild
Whilst security professionals will use these password cracking techniques for beneficial purposes, such as during a password audit or penetration test, there are countless examples of organisations having had their customer data leaked online where the leaked password hashes have then been obtained from data breaches and then cracked to reveal the plaintext passwords. These username and password combinations are used in credential stuffing attacks against other services, where users have reused the same password across multiple sites.
By understanding the different methods of password cracking and implementing strong password policies and multi-factor authentication, organisations can mitigate the risks associated with password cracking and protect their sensitive data from cyber threats.
