Quick Links
Creating a strong and unique password for each account you create is vital. But have you ever wondered how your strong password is broken down and cracked to allow hackers into your accounts?
I tested three different passwords against an open-source password-cracking tool to find out what really works when it comes to password security.
What Is Password Cracking?
When you create an account with an online service, the provider usually (and hopefully) encrypts your login details on its server. This is done using an algorithm to create a “hash,” a seemingly random string of letters and numbers unique to your password. Of course, it’s not actually random—it’s a very particular string of characters that only your password can make—but to the untrained eye, it looks like a mess.
It’s far quicker and easier to turn a word into a hash than to “unravel” a hash into a word again. As such, when you set the password, the service you’re logging into runs your password through a hash and then stores the result on its server.
If this password file gets leaked, hackers will try to figure out its contents usingpassword cracking. Because it’s faster to encrypt a password than to decrypt it, hackers will set up a system that takes in potential passwords as input, encrypts them using the same method as the server, and then compares the result to the password database.
If the potential password’s hash matches any entries in the database, the hacker knows that every hit matches the potential password that was tried.
How I Cracked My Own Passwords Using HashCat
Alright, so let’s crack some passwords I’ve constructed to see how easy it is. To do this, I will useHashcat, a free and open-source password cracker available for anyone to use.
For these tests, I will crack the following passwords:
Now that we have our passwords, I encrypted them using MD5. This is how the passwords would appear if they were in a saved password file:
Now, it’s time to crack them.
Performing a Simple Crack Using a Dictionary Attack
To start, let’s do a dictionary attack, one of themost common methods of attacking passwords. This is a simple attack where I take a list of potential passwords, have Hashcat convert them into MD5, and see if any match the three entries above. For this experiment, I’m using the “rockyou.txt” file as my dictionary, which was one of the biggest password leaks in history.
To start cracking, I go to the folder Hashcat is in, right-click on an empty space, and clickOpen in Terminal. Now that the Terminal is open and set to the Hashcat directory, I invoke the Hashcat application with the following command:
Here’s what the command does:
Despite rockyou’s huge size, Hashcat churned through them all in six seconds. In the results file, Hashcat said it cracked the 123456 password, but the Susan and Bitwarden passwords remained uncracked. That’s because the 123456 was used by someone else in the rockyou.txt file, but nobody else used the Susan or Bitwarden passwords, meaning they were unique enough to survive this attack.
Performing a More Complex Crack Using Masked Brute Force Attacks
Dictionary attacks work when someone uses the same password as the one found in a bigger list of passwords. They’re quick and easy to do, but they cannot crack passwords that aren’t in the dictionary. As such, if we want to really test our passwords, we need to use brute force attacks.
If dictionary attacks are all about taking a pre-set list and converting them one by one, brute force attacks do the same but with every conceivable combination available. They’re harder to perform and take a lot longer, but they will eventually crack any password. As we’ll see soon enough, that eventuality can sometimes take a very long time.
Here’s the command I used to do a “true” brute force attack:
Even with this awful mask, the 123456 password broke within 15 seconds. Despite being the most popular password, it’s one of the weakest.
The “Susan48!” password was much better—my PC said it would take four days to crack it blindly. However, there was one problem. Remember when I said the Susan password has some critical flaws? The biggest one is that the password is constructed predictably.
When we create a password, we usually put specific elements in specific spots. You can imagine the person making the Susan password tried using “susan” at first but was told to add capital letters and numbers. To make it easier to remember, they capitalized the first letter and added the numbers to the end. Then, perhaps one login service asked for a symbol, so our password setter stuck it on the end.
As such, we can use the mask to tell Hashcat to try only specific characters at specific spots to exploit how predictable people are when making a password. In this mask, “?u” will only use capital letters at that position, “?l” will only use lowercase letters, and “?a” represents any character:
With this mask, Hashcat breaks the password in three minutes and 10 seconds, which is much faster than four days.
The Bitwarden password is ten characters long and doesn’t use any predictable patterns, so I’d have to do a brute-force attack without any masking to crack it. Unfortunately, when I asked Hashcat to do that, it threw an error, saying that the number of possible combinations exceeded the integer limit.IT Security Gurusays the Bitwarden password would take three years to crack, so that’s good enough for me.
How to Keep Your Accounts Safe From Password Cracking
So, what can we learn from this? The main factors stopping me from cracking the Bitwarden password were its length (10 characters) and unpredictability. As such, when making passwords, attempt to make them as long as possible and sprinkle in symbols, numbers, and capitals throughout the password. This prevents hackers from using masks to predict where each element is and makes them a lot tougher to crack.
You may already know old password adages such as “use an array of characters” and “make it as long as possible.” Hopefully, you know why people recommend these handy tips—they’re the difference between a cracked password and a safe one.
