How to crack a password
(and other things you should know)
Danielle Adams
02/07/2019
How does an app store a password?
(or, at least, how it should be storing it)
User
App
inputs password
hashes password
Database
input: "password"
hashed password: "cf23df2207d99a74fbe169"
creating a password
hash
one-way function that takes a string (ie. password) and generates a unique value
User
App
inputs password
fetches password
Database
signing in
checks input
signs user in
What happens in a data breach?
database
lists of password hashes end up in the hands of hackers
what's wrong with that? aren't the passwords hashed?
yes, but that is only half of the work
Security 101
it's not a question of if you get hacked,
it's when.
it's the responsibility of websites and companies to make it too hard or costly for hackers to access user data.
all hashing algorithms are eventually crackable - some take a few days and some will take months or years.
How to crack a hashed password
i've found a list of hashed passwords on the internet. now what can I do with them?
DISCLAIMER
if you obtain any sort of password list illegally or unethically, I do not suggest you do this.
if you decide to do it anyway, you're on your own.
a1bfe34
01bbf82
de9283c
3482498
mypassword
hello5
spot1234
danielle18
there are a few ways to attempt to crack the passwords on the list, we'll discuss 2 of them.
the first is a brute force attack, which is an attempt of every possible iteration of the password.
depending on the hashing algorithm, this may be the best or worst way to crack the password list
the other is a dictionary attack, which will take a list of popular passwords and iterate through the list and try each one until it finds a hash match.
this is computationally less expensive than using brute force, but will not work on passwords that are "stronger".
hackers can run automated programs either on a computer or any server space they have access to (ie. the cloud) to crack the password.
there are lots of open source projects to do this. I've used 2 of them that work well:
a1bfe34
01bbf82
de9283c
3482498
mypassword
hello5
spot1234
danielle18
code run to look for matches
Why is this a problem?
many people are repeat password users. if they have access to your email and password for one login, they can log in anywhere
"I don't have anything online that I care if anyone else sees."
How to protect yourself from a data breach
- turn on 2FA everywhere you can
- don't use text message. download an app to your phone or use an external device like Yubikey
- use a password manager (like LastPass, iCloud Keychain, etc.)
- as a rule of thumb, the master password should have 4 random words and a combination of characters and numbers that you will remember
- use a password generator
- most password managers have this feature, and Safari has recently added a password generator to their browsers
- if you don't have access to your password manager, pick a random password (characters and numbers) and reset it with your email later
thanks!
How to crack a password
By Danielle Adams
