Perimeter
1/21/2009
02:53 PM
Robert Graham
Robert Graham
Commentary
50%
50%

How Hackers Will Crack Your Password

I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).

I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).The first problem is an "online" vs. "offline" attack. An online attack is where hackers try to log on pretending to be you and guess your password. Unless you've chosen something extremely easy to guess (such as "Wasila High"), this isn't a big danger. Online systems automatically lock your account after too many bad guesses.

The real danger is "offline" cracking. Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.

Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That's fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That's roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:

    5 characters = 10 seconds 6 characters = 1,000 seconds 7 characters = 1 day 8 characters = 115 days 9 characters = 31 years 10 characters = 3,000 years

This is why you need long passwords. Hackers can usually crack anything with seven characters or fewer, but they would be unlikely to guess passwords using this technique that are nine characters or more.

This is also why you need complex passwords containing uppercase and lowercase, numbers, and symbols. That's 100 possible combinations for each character. Lowercase passwords have only 26 combinations per character. A hacker can guess an all-lowercase password of 10 characters in about two days.

However, hackers have another trick up their collective sleeve: the mutated dictionary attack. Because of the above problem, you might choose a large password, like "Aardvark-Zebra9." This is longer than what a hacker will be able to discover by brute force. So hackers solve this with a "dictionary" attack. Instead of trying all combinations of characters, they instead try to match passwords with words in a dictionary. They then "mutate" the words, reflecting common things people do to passwords.

When users are told to make their passwords complex, they usually do something simple to them. Instead of choosing "robert" as a password, they will make it "robert!". Putting an exclamation mark at the end of a password is one of the most common mutations people choose. Hackers know this, so their dictionary cracks will do the same thing.

Here is a list of common mutations a hacker will try to dictionary words:

  • capitalizing the first letter of a word;
  • checking all combinations of upper/lowercase for words;
  • inserting a number randomly in the word;
  • putting numbers on the ends of words;
  • putting numbers on the beginning of words;
  • putting the same pattern at both ends, like *foobar*;
  • replacing letters like "o" and "l" with numbers like "0" and "1";
  • punctuating the end of words;
  • duplicating the first letter, or all letters in the word;
  • combining two words together; and
  • putting punctuation or space between the words.

Hackers are also smart about which words they choose. They don't just choose English words, but also include most popular languages (i.e., Spanish, French, German). They also choose words from pop culture, like xbox360 or Britney Spears.

If they know who you are, they will find words particular to you. Let's say your name is "John Smith," you drive a "BMW," you work for "Microsoft," and you like to watch "The Office." A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, "Carell325i" seems like a fine 10-character password to defeat hackers, but will get cracked in only a few minutes by a hacker who knows you. (I like to use the Associative Word List Generator Web site to generate password lists for me.)

So how do you choose something that hackers can't guess? Well, remember that hackers aren't all-powerful. Increased complexity of things they have to check, the less likely they will guess your password. Yes, they will check for numbers on the ends of passwords, but as long as you've chosen something like your birthdate instead of 1234, it's something more likely to be missed.

Including just one international character, like a vowel with an umlaut, will defeat most password crackers. They can be typed by holding down the key and typing a -three-digit number on the numpad. Typing long phrases instead of words will also help. In theory, it should be easy to guess "Twas as a dark and stormy night" as a passphrase, but in practice, hackers won't catch it. On the flip side, the more complex you make your password, the harder it will be for you to type it in. Try to create something as long as you can comfortably type, while still keeping in mind the techniques above.

Robert Graham is CEO of Errata Security. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DanS107
50%
50%
DanS107,
User Rank: Apprentice
7/25/2015 | 6:52:02 PM
Re: Correction
Why isn't the password code written so that there is a delay of a few seconds between submission of a password and the acceptance or rejection of that password?
anon7008839568
50%
50%
anon7008839568,
User Rank: Apprentice
4/14/2014 | 11:16:15 PM
Correction
"They can be typed by holding down the key" should be "They can be typed by holding down the ALT key"
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.