How to crack a password

(and other things you should know)

Danielle Adams

02/07/2019

How does an app store a password?

(or, at least, how it should be storing it)

User

App

inputs password

hashes password

Database

input: "password"

hashed password: "cf23df2207d99a74fbe169"

creating a password

hash

one-way function that takes a string (ie. password) and generates a unique value

User

App

inputs password

fetches password

Database

signing in

checks input

signs user in

What happens in a data breach?

database

lists of password hashes end up in the hands of hackers

what's wrong with that? aren't the passwords hashed?

yes, but that is only half of the work

Security 101

it's not a question of if you get hacked,

it's when.

 

it's the responsibility of websites and companies to make it too hard or costly for hackers to access user data.

all hashing algorithms are eventually crackable - some take a few days and some will take months or years.

How to crack a hashed password

i've found a list of hashed passwords on the internet. now what can I do with them?

DISCLAIMER

if you obtain any sort of password list illegally or unethically, I do not suggest you do this.

if you decide to do it anyway, you're on your own.

a1bfe34

01bbf82

de9283c

3482498

mypassword

hello5

spot1234

danielle18

there are a few ways to attempt to crack the passwords on the list, we'll discuss 2 of them.

the first is a brute force attack, which is an attempt of every possible iteration of the password.

 

depending on the hashing algorithm, this may be the best or worst way to crack the password list

the other is a dictionary attack, which will take a list of popular passwords and iterate through the list and try each one until it finds a hash match.

this is computationally less expensive than using brute force, but will not work on passwords that are "stronger".

hackers can run automated programs either on a computer or any server space they have access to (ie. the cloud) to crack the password.

there are lots of open source projects to do this. I've used 2 of them that work well:

 

https://github.com/hashcat/hashcat

https://github.com/magnumripper/JohnTheRipper

a1bfe34

01bbf82

de9283c

3482498

mypassword

hello5

spot1234

danielle18

code run to look for matches

Why is this a problem?

many people are repeat password users. if they have access to your email and password for one login, they can log in anywhere

"I don't have anything online that I care if anyone else sees."

How to protect yourself from a data breach

  • turn on 2FA everywhere you can
    • don't use text message. download an app to your phone or use an external device like Yubikey
  • use a password manager (like LastPass, iCloud Keychain, etc.)
    • as a rule of thumb, the master password should have 4 random words and a combination of characters and numbers that you will remember
  • use a password generator
    • most password managers have this feature, and Safari has recently added a password generator to their browsers
  • if you don't have access to your password manager, pick a random password (characters and numbers) and reset it with your email later

thanks!

How to crack a password

By Danielle Adams

How to crack a password

  • 15
Loading comments...

More from Danielle Adams