How to crack a password
(and other things you should know)
How does an app store a password?
(or, at least, how it should be storing it)
hashed password: "cf23df2207d99a74fbe169"
creating a password
one-way function that takes a string (ie. password) and generates a unique value
signs user in
What happens in a data breach?
lists of password hashes end up in the hands of hackers
what's wrong with that? aren't the passwords hashed?
yes, but that is only half of the work
it's not a question of if you get hacked,
it's the responsibility of websites and companies to make it too hard or costly for hackers to access user data.
all hashing algorithms are eventually crackable - some take a few days and some will take months or years.
How to crack a hashed password
i've found a list of hashed passwords on the internet. now what can I do with them?
if you obtain any sort of password list illegally or unethically, I do not suggest you do this.
if you decide to do it anyway, you're on your own.
there are a few ways to attempt to crack the passwords on the list, we'll discuss 2 of them.
the first is a brute force attack, which is an attempt of every possible iteration of the password.
depending on the hashing algorithm, this may be the best or worst way to crack the password list
the other is a dictionary attack, which will take a list of popular passwords and iterate through the list and try each one until it finds a hash match.
this is computationally less expensive than using brute force, but will not work on passwords that are "stronger".
hackers can run automated programs either on a computer or any server space they have access to (ie. the cloud) to crack the password.
code run to look for matches
Why is this a problem?
many people are repeat password users. if they have access to your email and password for one login, they can log in anywhere
"I don't have anything online that I care if anyone else sees."
How to protect yourself from a data breach
- turn on 2FA everywhere you can
- don't use text message. download an app to your phone or use an external device like Yubikey
- use a password manager (like LastPass, iCloud Keychain, etc.)
- as a rule of thumb, the master password should have 4 random words and a combination of characters and numbers that you will remember
- use a password generator
- most password managers have this feature, and Safari has recently added a password generator to their browsers
- if you don't have access to your password manager, pick a random password (characters and numbers) and reset it with your email later
How to crack a password
By Danielle Adams