Password Cracking 101
Featured in the May 2016 Massachusetts State Automobile Dealers Association (MSADA) Magazine (www.msada.org)
From the corner window of your office, the front of the vehicle was just barely visible. You didn’t recognize the van, but it certainly seemed innocuous enough at the time. Then, in a fleeting moment of clarity, you realize you just can’t remember it arriving, and you don’t remember anyone ever getting out. But you don’t get paid to worry about security. The strangeness of the situation fades as you log into your network, and begin another hard day’s work. How could you be expected to know that after hours of network sniffing, the attackers had finally captured the elusive string of information they were hunting for – your encrypted password. Hold on tight, because the rest happens very quickly.
The attacker needs only to run a single command, launching any one of several powerful password cracking tools against your credentials. Their specialized equipment is optimized for this sort of analysis. Multiple computers scream along as thousands of passwords are guessed with every passing second. Then, after a surprisingly short period of time, the plaintext password is recovered, and the attacker is in control. You are no longer the unique owner of your own identity, and the network can’t tell the difference. Game over.
Weak passwords are one of the leading causes of information security related incidents. In fact, dumping and cracking employee credentials is part of every hacker’s toolkit. It’s obvious then that password strength is crucial to any information security policy. But if the criticality of password strength is widely known, why are they still so widely compromised? Well, for starters, remembering complex passwords is difficult, and people are disinclined to use passwords which they cannot easily recall. Secondly, there is no real standard against which to measure password strength.
The computing power available to today’s average consumer is staggering. Modern laptops and desktop PC’s have more than enough computing power to handle a simple password recovery. But consider also that there are cloud based services which will rent access to dozens, even hundreds, of computers. These can then be used for such illicit purposes as attempting to crack the passwords of every employee at your organization, all at once. And these services cost considerably less than investing in a new computer, some as little as fifty cents per password.
As in war, one can only defeat an enemy by fully understanding their motives and tactics. Therefore, in order to create truly strong passwords, one must have an understanding of the techniques used to compromise them. After all, when we discuss “strength”, we are really talking about “resistance to cracking”. The strongest passwords are uncrackable in a reasonable amount of time, and that is the only metric by which password strength can be reliably measured.
The attacker is likely to employ two standard types of password attack. The first is a brute force attack, which simply attempts every single combination of alphanumeric and special characters possible. In reality, the only defense against this sort of attack lies in the length of the password. The attacker should run out of time or computing power, or simply lose interest, before succeeding. In this case, the attacker seeks to exploit our tendency to choose passwords that are short and simple enough to remember.
The second type of password attack is known as a dictionary attack, which uses vast wordlists to try and match a password. These wordlists are often composed of actual dictionaries, previously leaked passwords, and even popular books. Here, the attacker seeks to exploit our language, since recognizable words are easier to remember than meaningless strings of characters. In order to defend against this type of attack, it’s necessary to keep your password out of the dictionary. This can be adequately achieved by squishing multiple words together, as in a passphrase. A similar option involves converting a complex phrase into an acronym. Both of these types of passwords are nearly transparent to dictionary style attacks, because neither is likely to be found on a wordlist.
The success rate of either type of attack can be increased by employing a technique known as “mangling”. By mangling their guesses, an attacker seeks to exploit our tendencies to place special characters at the end of a password and capital letters at the front. The attacker can then attempt to recreate these conditions by trying each guess multiple times, appending different special characters to the end, and changing the capitalization. By specifying targeted mangling rules, the attacker is more likely to recover a password to which strength had been “added” by the average user.
Examples of passwords vulnerable to dictionary-mangling attacks:
Strength in passphrases and acronyms:
The ants go marching 2 by 2 hurrah! Hurrah!
Through an understanding of the various ways a hacker can compromise credentials, the real meaning of password strength has emerged. It is not as simple as merely adding characters or length to an existing password. Rather, we should be employing techniques that increase the time and computing cost to crack a given password. Password strength must be measured in the context of an attack. After all, the people who are testing the strength of your password are usually the ones trying to hack into your business and steal your data.