• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Password Cracking 101

June 16, 2016 Posted by Scott Goodwin Cybersecurity, IT Advisory Services, IT Security

Featured in the May 2016 Massachusetts State Automobile Dealers Association (MSADA) Magazine (www.msada.org)

 

From the corner window of your office, the front of the vehicle was just barely visible. You didn’t recognize the van, but it certainly seemed innocuous enough at the time. Then, in a fleeting moment of clarity, you realize you just can’t remember it arriving, and you don’t remember anyone ever getting out. But you don’t get paid to worry about security. The strangeness of the situation fades as you log into your network, and begin another hard day’s work. How could you be expected to know that after hours of network sniffing, the attackers had finally captured the elusive string of information they were hunting for – your encrypted password. Hold on tight, because the rest happens very quickly.

The attacker needs only to run a single command, launching any one of several powerful password cracking tools against your credentials. Their specialized equipment is optimized for this sort of analysis. Multiple computers scream along as thousands of passwords are guessed with every passing second. Then, after a surprisingly short period of time, the plaintext password is recovered, and the attacker is in control. You are no longer the unique owner of your own identity, and the network can’t tell the difference. Game over.

Weak passwords are one of the leading causes of information security related incidents. In fact, dumping and cracking employee credentials is part of every hacker’s toolkit. It’s obvious then that password strength is crucial to any information security policy. But if the criticality of password strength is widely known, why are they still so widely compromised? Well, for starters, remembering complex passwords is difficult, and people are disinclined to use passwords which they cannot easily recall. Secondly, there is no real standard against which to measure password strength.

The computing power available to today’s average consumer is staggering. Modern laptops and desktop PC’s have more than enough computing power to handle a simple password recovery. But consider also that there are cloud based services which will rent access to dozens, even hundreds, of computers. These can then be used for such illicit purposes as attempting to crack the passwords of every employee at your organization, all at once. And these services cost considerably less than investing in a new computer, some as little as fifty cents per password.

As in war, one can only defeat an enemy by fully understanding their motives and tactics. Therefore, in order to create truly strong passwords, one must have an understanding of the techniques used to compromise them. After all, when we discuss “strength”, we are really talking about “resistance to cracking”. The strongest passwords are uncrackable in a reasonable amount of time, and that is the only metric by which password strength can be reliably measured.

The attacker is likely to employ two standard types of password attack. The first is a brute force attack, which simply attempts every single combination of alphanumeric and special characters possible. In reality, the only defense against this sort of attack lies in the length of the password. The attacker should run out of time or computing power, or simply lose interest, before succeeding. In this case, the attacker seeks to exploit our tendency to choose passwords that are short and simple enough to remember.

The second type of password attack is known as a dictionary attack, which uses vast wordlists to try and match a password. These wordlists are often composed of actual dictionaries, previously leaked passwords, and even popular books. Here, the attacker seeks to exploit our language, since recognizable words are easier to remember than meaningless strings of characters. In order to defend against this type of attack, it’s necessary to keep your password out of the dictionary. This can be adequately achieved by squishing multiple words together, as in a passphrase. A similar option involves converting a complex phrase into an acronym. Both of these types of passwords are nearly transparent to dictionary style attacks, because neither is likely to be found on a wordlist.

The success rate of either type of attack can be increased by employing a technique known as “mangling”. By mangling their guesses, an attacker seeks to exploit our tendencies to place special characters at the end of a password and capital letters at the front. The attacker can then attempt to recreate these conditions by trying each guess multiple times, appending different special characters to the end, and changing the capitalization. By specifying targeted mangling rules, the attacker is more likely to recover a password to which strength had been “added” by the average user.

Examples of passwords vulnerable to dictionary-mangling attacks:

Password1!

Summer2016!

Strength in passphrases and acronyms:

The ants go marching 2 by 2 hurrah! Hurrah!

Tagm2x2h!H!

Through an understanding of the various ways a hacker can compromise credentials, the real meaning of password strength has emerged. It is not as simple as merely adding characters or length to an existing password. Rather, we should be employing techniques that increase the time and computing cost to crack a given password. Password strength must be measured in the context of an attack. After all, the people who are testing the strength of your password are usually the ones trying to hack into your business and steal your data.

Tags: Penetration Testing
Share
1
Scott Goodwin

About Scott Goodwin

Scott manages the Information Security Advisory Services practice within OCD Tech. Prior to joining the firm, he graduated from the University of Massachusetts Boston with a degree in Physics. Scott’s primary engagements include security advisory services, and security assessments against industry standard frameworks including NIST 800-53 and the NIST Cybersecurity Framework, as well as NIST 800-171 assessments for multiple clients in the defense and aerospace sector. Currently, Scott oversees many technical engagements, including vulnerability assessments, and is a lead penetration tester for OCD Tech.  Scott is directly responsible for the identification of three (3) previously unknown vendor software vulnerabilities which have been registered with Mitre’s Common Vulnerabilities and Exposures (CVE) database as CVE-2018-11628, 2019-7004, and 2019-19774.  Scott is also the key developer on the OCD Tech open source discovery platform, Scrapy. The platform identifies public domain information and provides reporting and alerting for OCD Tech clients upon discovery of key sensitive company/personal information.

You also might be interested in

OCDTECH.SEC CYBERSECURITY

SEC Cybersecurity rules

Aug 23, 2023

On August 4, 2023, the SEC’s cybersecurity disclosure rules were[...]

Employees are Weak Links

Dec 30, 2015

These days, it’s tough to be a bank. Regulatory demands[...]

OCDTECH.BLOG.PENETRATIONTESTING

Bulletproof Your Defenses: Penetration Testing  

Feb 27, 2024

While awareness campaigns are essential, they’re not enough. True security[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next