Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Ethical Password Cracking

You're reading from   Ethical Password Cracking Decode passwords using John the Ripper, hashcat, and advanced methods for password breaking

Arrow left icon
Product type Paperback
Published in Jun 2024
Publisher Packt
ISBN-13 9781804611265
Length 168 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
James Leyte-Vidal James Leyte-Vidal
Author Profile Icon James Leyte-Vidal
James Leyte-Vidal
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Part 1: Introduction and Setup
2. Chapter 1: Password Storage: Math, Probability, and Complexity FREE CHAPTER 3. Chapter 2: Why Crack When OSINT Will Do? 4. Chapter 3: Setting Up Your Password Cracking Environment 5. Chapter 4: John and Hashcat Rules 6. Part 2: Collection and Cracking
7. Chapter 5: Windows and macOS Password Cracking 8. Chapter 6: Linux Password Cracking 9. Chapter 7: WPA/WPA2 Wireless Password Cracking 10. Chapter 8: WordPress, Drupal, and Webmin Password Cracking 11. Chapter 9: Password Vault Cracking 12. Chapter 10: Cryptocurrency Wallet Passphrase Cracking 13. Part 3: Conclusion
14. Chapter 11: Protections against Password Cracking Attacks 15. Index 16. Other Books You May Enjoy

Why are some passwords easier to crack than others?

There are several reasons for this, but it boils down to one thing: how long it takes for a system to guess the password correctly. If we can create passwords that increase the amount of time for this to happen, we are creating a password that is more difficult to crack. If we create passwords that decrease the amount of time needed for password guessing to be successful, we are creating a password that is easier to crack.

So, what are some of the factors that make a password easier (or more difficult) to crack? Some of the most important are as follows:

  • Password length
  • Password complexity
  • Time to hash/encrypt the password

Let’s talk about each of these in turn.

Password length

Password length is often thought about by the end user in terms of the bare minimum. In other words, if a system requires an eight-character password at a minimum, many users will select an eight-character password.

At the time of writing, NIST maintains its password recommendations at an eight-character minimum. This is noted in NIST Special Publication (SP) 800-53B and is updated from time to time. However, NIST also notes that systems should accept a password from a user of at least 64 characters.

Let’s think about that eight-character password for a moment. How many guesses would I need to make to determine someone’s eight-character password? The answer, as with so many things in information security, is that it depends. Let’s start with a simple character set that consists of the 26 (lowercase) letters of the English alphabet. The number of guesses required to successfully determine this password is represented by x to the power of y or xy, where x is the possible characters in each position of the password, and y is the number of total characters in the password. For our 26-character lowercase password, which is 8 characters in length, it will take 268 guesses, or 208,827,064,576 guesses. Note that this is the maximum number of guesses – this represents someone guessing every possible password and only being successful on the last guess. This is a lot of possible guesses! But does this mean this password is secure? Again, it depends. How quickly can we try a guess and validate if it is or is not the password? Even milliseconds less or more per guess can have a large impact on the overall time to work through all the possibilities.

What if we choose a password length that is longer than the minimum recommendation from NIST? What about nine characters with the same lowercase English alphabet? That’s 269 or 5,429,503,678,976. This is, as you might expect, 26 times more guesses than what we needed to make for an eight-character password.

By the time we get to a 12-character password, with our same 26-character set, we are looking at 2612, or 95,428,956,661,682,176 (also known as roughly 95 quadrillion guesses). This is 456,976 times the number of guesses required for an eight-character password!

Visualizing this in a graph (see Figure 1.1), we can see an exponential growth of guesses required for every character increase of the password length:

Figure 1.1 – Number of guesses for 8 to 14-character passwords (26 possible characters)

Figure 1.1 – Number of guesses for 8 to 14-character passwords (26 possible characters)

For those building secure systems, this is good, and this means every character counts when it comes to password length. The longer a password is, the longer it will take to crack, and the more secure (resistant to cracking) it is.

Password complexity

The idea behind password complexity, like password length, is to make a password more resistant to cracking. However, complexity takes a different approach – for every character in the password, we increase the possible characters that can be used to fill that spot. Let’s see how this works in practice by revisiting our math in the previous section.

If we add uppercase English alphabet characters to our lowercase English alphabet characters, we get 52 possible characters. So, now, our 8-character password will require 528 guesses, or 53,459,728,531,456. Here, adding an additional 26 characters significantly increases the number of guesses. Furthermore, because this is an exponential operation, the increase in the number of guesses per character can be visualized in the same way as the 26-character password as length increases (see Figure 1.2):

Figure 1.2 – Number of guesses for eight to 12-character passwords (52 possible characters)

Figure 1.2 – Number of guesses for eight to 12-character passwords (52 possible characters)

As shown in Figure 1.1, increasing password length increases the total guesses required to identify a password. Likewise, in Figure 1.2, we can see that increasing the complexity of the password increases the guesses required, and increasing both length and complexity raises the number of guesses required even faster! So, which is better? Or should we use both? For this answer, we need to look at the math, and then follow it up with psychology.

An eight-character password with uppercase and lowercase letters requires 53,459,728,531,456 (53 trillion) maximum guesses. A 10-character lowercase-only password will require almost three times as many guesses – 141 trillion. Now, let’s move on to the psychology. Which will be easier for a human to remember – an all-lowercase series of characters, or a series of uppercase and lowercase characters? One of two things will likely happen:

  • The user will create a password that’s easy for them to remember by capitalizing the first letter of the password and leaving the rest lowercase. This is trivial to address in cracking and subverts the point of adding the additional character set. If the first letter of the password is capitalized, there are 26 possible choices, meaning the same number of choices when we use lowercase characters. If the user then leaves the rest of the password lowercase, there are only 26 possible choices per character there as well. In this scenario, with an eight-character password, we have 268 possibilities instead of 528 possibilities – the same number as if the password had just been lowercase to begin with!
  • The second possibility is that the user creates a hard-to-remember password and writes it down either on paper or in a password manager. While the use of a password manager is generally desired behavior, writing a password down where it might be discovered is not.

So, where does this leave us? The human mind will find an all-lowercase password to be easier to remember than a series of uppercase and lowercase letters, a series of upper and lowercase letters and numbers, or a series of upper and lowercase letters, numbers, and symbols. We can increase the length of all lowercase passwords and still create a password that is resistant to cracking. This is the current NIST recommendation – the current revision of SP 800-53B suggests that creating a password should not require password composition rules to be used (section 5.1.1.2).

Time to hash/encrypt the password

The third major factor in creating passwords that are resistant to cracking is not in the selection of the password itself, but rather the computational operations to create the hash and how long they take. Think about the number of guesses required for the various types of passwords we discussed earlier. Each of those guesses takes a non-zero amount of time to perform. We must calculate the hash for that password candidate, and then compare it against the known hash to see if they match (meaning our password candidate is our password).

If this operation takes a full second, instead of half a second, the overall time for the cracking process is doubled. In reality, guesses will occur much faster than that but for the sake of illustration, you can see how that makes a huge difference against the number of guesses we are dealing with in these scenarios.

Hashing algorithms are designed to be fast. Hashing is a common computational operation for comparisons, and we want them to be fast. However, we want password hashing specifically to be slow – we want it to be as slow as we can reasonably get away with. The slower the password hashing operation, the more resistant the implementation will be to cracking by making each attempt more computationally expensive. Password hashing algorithms such as PBKDF2 use common hashing algorithms such as SHA-512 but run many rounds of that hashing algorithm to increase the time to create the password hash.

While increased time per hash will result in a slower cracking operation, the cracker can attempt to offset this by increasing the number of hashes they perform per second, either by increasing the computational power used by the cracking process or distributing the load of the cracking operation across multiple computational engines. In Part 2, Password Cracking Types and Approaches, we will look at the overall speed of various cracking operations based on the types of hashes we are cracking.

You have been reading a chapter from
Ethical Password Cracking
Published in: Jun 2024
Publisher: Packt
ISBN-13: 9781804611265
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime