Perimeter

1/21/2009
02:53 PM
Robert Graham
Robert Graham
Commentary
50%
50%

How Hackers Will Crack Your Password

I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).

I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).The first problem is an "online" vs. "offline" attack. An online attack is where hackers try to log on pretending to be you and guess your password. Unless you've chosen something extremely easy to guess (such as "Wasila High"), this isn't a big danger. Online systems automatically lock your account after too many bad guesses.

The real danger is "offline" cracking. Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.

Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That's fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That's roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:

    5 characters = 10 seconds 6 characters = 1,000 seconds 7 characters = 1 day 8 characters = 115 days 9 characters = 31 years 10 characters = 3,000 years

This is why you need long passwords. Hackers can usually crack anything with seven characters or fewer, but they would be unlikely to guess passwords using this technique that are nine characters or more.

This is also why you need complex passwords containing uppercase and lowercase, numbers, and symbols. That's 100 possible combinations for each character. Lowercase passwords have only 26 combinations per character. A hacker can guess an all-lowercase password of 10 characters in about two days.

However, hackers have another trick up their collective sleeve: the mutated dictionary attack. Because of the above problem, you might choose a large password, like "Aardvark-Zebra9." This is longer than what a hacker will be able to discover by brute force. So hackers solve this with a "dictionary" attack. Instead of trying all combinations of characters, they instead try to match passwords with words in a dictionary. They then "mutate" the words, reflecting common things people do to passwords.

When users are told to make their passwords complex, they usually do something simple to them. Instead of choosing "robert" as a password, they will make it "robert!". Putting an exclamation mark at the end of a password is one of the most common mutations people choose. Hackers know this, so their dictionary cracks will do the same thing.

Here is a list of common mutations a hacker will try to dictionary words:

  • capitalizing the first letter of a word;
  • checking all combinations of upper/lowercase for words;
  • inserting a number randomly in the word;
  • putting numbers on the ends of words;
  • putting numbers on the beginning of words;
  • putting the same pattern at both ends, like *foobar*;
  • replacing letters like "o" and "l" with numbers like "0" and "1";
  • punctuating the end of words;
  • duplicating the first letter, or all letters in the word;
  • combining two words together; and
  • putting punctuation or space between the words.

Hackers are also smart about which words they choose. They don't just choose English words, but also include most popular languages (i.e., Spanish, French, German). They also choose words from pop culture, like xbox360 or Britney Spears.

If they know who you are, they will find words particular to you. Let's say your name is "John Smith," you drive a "BMW," you work for "Microsoft," and you like to watch "The Office." A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, "Carell325i" seems like a fine 10-character password to defeat hackers, but will get cracked in only a few minutes by a hacker who knows you. (I like to use the Associative Word List Generator Web site to generate password lists for me.)

So how do you choose something that hackers can't guess? Well, remember that hackers aren't all-powerful. Increased complexity of things they have to check, the less likely they will guess your password. Yes, they will check for numbers on the ends of passwords, but as long as you've chosen something like your birthdate instead of 1234, it's something more likely to be missed.

Including just one international character, like a vowel with an umlaut, will defeat most password crackers. They can be typed by holding down the key and typing a -three-digit number on the numpad. Typing long phrases instead of words will also help. In theory, it should be easy to guess "Twas as a dark and stormy night" as a passphrase, but in practice, hackers won't catch it. On the flip side, the more complex you make your password, the harder it will be for you to type it in. Try to create something as long as you can comfortably type, while still keeping in mind the techniques above.

Robert Graham is CEO of Errata Security. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DanS107
50%
50%
DanS107,
User Rank: Apprentice
7/25/2015 | 6:52:02 PM
Re: Correction
Why isn't the password code written so that there is a delay of a few seconds between submission of a password and the acceptance or rejection of that password?
anon7008839568
50%
50%
anon7008839568,
User Rank: Apprentice
4/14/2014 | 11:16:15 PM
Correction
"They can be typed by holding down the key" should be "They can be typed by holding down the ALT key"
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19279
PUBLISHED: 2018-11-14
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19280
PUBLISHED: 2018-11-14
Centreon 3.4.x has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19281
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SNMP trap SQL Injection.
CVE-2018-17960
PUBLISHED: 2018-11-14
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2018-19278
PUBLISHED: 2018-11-14
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed lengt...