Passwords are strings of characters that we memorize in order to prove our identity when challenged. The word ‘password’ is sometimes misleading, as the password may not be an actual word and may contain numbers and symbols too. In fact, we will later see that a password containing less alphabets are more secure. Passwords in some business use cases may only be numeric and is often referred to as personal identification Number (PIN).
All this may sounds like a technology of 20th century but it has been around since the Roman times. Sentries would challenge those wishing to enter an area to supply a password or watchword, and would only allow a person or group to pass if they knew the password. Passwords where used from the earliest days of computing. The first implementation was in Compatible Time-Sharing System (CTSS), an operating system developed by MIT back in 1961. This OS had a very interesting security feature where on entering the password, it actually turned off the printing mechanism.
At this point you will be saying, “Yes Abhi, we all know those hackers out there wearing black hoodies, spending their free time trying to guess people’s password”. But in fact you are totally wrong, except the hoodie one. Most of the “well-developed” systems today will lock the account on a number of incorrect tries. So, if you open a random website and try to guess your friend’s password, it is highly likely he will be at your door sooner or later. Now how does an adversary gain access to this string of characters which is only stored within the corners of your brain (probably 🙂 ).
Passwords are stored in the form a Hash. Hashing a is a one-way encryption method and we cannot obtain the original password by using a decryption function. To compare, we need to hash the password and compare with the stored hash in the system. Below is how a simple “password” looks like when hashed with MD5 algorithm.
The most, no brainier way to break the password is to try all possible combination. This type of attack is called Brute-Force attack. It is time consuming and passwords with larger key space may even take years to break. The strength of the password is measured in entropy. Kaspersky lab created this interactive tool to measure the strength of password using entropy. Just a warning before you start googling websites which measure the strength of passwords, “please do not enter you real passwords in illegitimate websites”.
The most famous attack against password is dictionary attack. To demonstrate this attack, I have file with hashed passwords (hashes.txt) and a dictionary file where I have the list of 14,344,392 most commonly used passwords (rockyou.txt) in the world. The hashing algorithm used here is MD5. I will not be covering the types of hashing algorithm in this blog, you can read about them here.
Next, lets use a tool called hashcat to run a dictionary attack on the hashed passwords have. The tool goes through the list of known passwords, hash them compare with the record in “hashes.txt”. Below, we can see the result of hashcat, I had 63 hashed passwords and it successfully figured out 45 of them in matter of seconds.
On top are the cracked passwords and you can see that passwords are really simple. It is quite shocking, that these are very commonly used. An experienced adversary may use a larger dictionary, a large array of password transformation rules and a good graphical processing unit to speed up the task. Many of the exploit tools today, such as metasploit, have built in dictionary attack mechanism. There are other methods of breaking passwords, such as using a rainbow table. . RainboCrack is a tool that makes us of this algorithm and is designed to take advantage of the NVIDIA and AMD GPUs to increase performance.
Below are some general guidelines on choosing a good password. The below guidelines will help to slow down the adversary and act as a deterrence.
Use a combination of uppercase and lowercase letters, symbols and numbers. The larger the key space the longer it will take for the adversary to break the password.
Use passwords is at least 8 digit long.
Use passphrases that you can memorize easily. Example, “today is windy day” can be used as “T0d@y1sW1ndyD@y”.
Do not to use the password with your personal information in it. Example, NY@1964
Do not give your password to anyone other than the application it is needed for.
Passwords are generally considered as a weak form of authentication and there are other methods of authentication such as biometrics and MFA that are introduced to give an added layer of protection for the users. As a user, it is our duty to keep our self-updated and surf internet consciously.