Breaking passwords is kiddie script stuff.

How I became a password cracker

by Nate Anderson - Mar 24 2013, 5:55pm PDT

In this article, the author describes how his editor came him a challenge to see how many password he could steal and crack in a day. He had never cracked a password before. He was limited to using only information, resources and free tools that were available on the Internet. He described password cracking as “kiddie script stuff”. He said he was someone who “can't hack my way out of the proverbial paper bag” but by the end of the day he was able to crack over 8,000 passwords. This was done on an ancient dell laptop.

His first challenges was to find a set of passwords to crack. He found this was easy. There are entire forms on the Internet dedicated to swapping lists of stolen user names and password hashes and assisting each other in cracking them. I found this alarming. It made me wonder if any of my personal information is just floating around on the Internet somewhere waiting to be stolen. He picked a 15,000 entry long password file which used unsalted MD5, a weaker hashing method. Most password cracking is not done online by repeatedly trying to log on to a website. Most websites limit the number of logons attempts. Rather lists of password hashes are stolen and the cracking takes place offline.

He experimented with available free password cracking utilities, such as John the Ripper and Hashcat. He picked Hashcat because it had an easy to use GUI. He found the instructions to use it on a Wiki. He used a dictionary attack, which tries to break passwords by trying passwords one at a time from a list. This method works because people often use common words and easy to remember passwords. He found a list of 14.5 million commonly used passwords, called RockYou. The RockYou list is based on research into commonly used password patterns. Password lists are getting smarter. Tricks like substituting letters for numbers won't work anymore. New lists take that into consideration. He failed at first to set things up correctly until he found step by step instructions from a famous hacker on how to do it. He could add rules to the dictionary attack such as appending two numbers to the end of the word in the dictionary. This extends the power of the dictionary. This is a common way that people create passwords. Password hackers understand common patterns people use to create passwords and can use rules to test those patterns. Hashcat included a number of predefined rules. After working through some set up issues he was able to crack over 7,500 passwords in 16 minutes.

He also used the brute force method. This tries every combination of a set of characters, one at a time. It can be the most time consuming method. He was able to find a number of passwords using this method. To speed the attack up he used only lower case letters. He found 334 in password in a minute. This shows the danger of using short and simple passwords.

He realized he could have cracked even more passwords had he used a more powerful computer or even multiple computers. Some password crackers will also tap into the processing power of the Graphics Processing Unit. There are other advanced cracking methods such as rainbow tables that he did not try.

The author suggested that salted hashes with a stronger algorithm than MD5 be used. Increasing processing power and growing sophistication of cracking tools are making passwords more vulnerable.

The main take away I got from this article is that commonly given advice for picking creating strong passwords may not give people the protection they think. The author was able to crack passwords that would have passed a test of password strength. What makes passwords so vulnerable? To be useful a password has to be remembered. People pick words and patterns that are easy to member. Crackers are learning these patterns. For security other methods of authentication, such as biometrics or security keys may offer better protection. If passwords are to be used a long randomly generated string would be stronger, although they would hard to remember.