Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Ethical Password Cracking

You're reading from   Ethical Password Cracking Decode passwords using John the Ripper, hashcat, and advanced methods for password breaking

Arrow left icon
Product type Paperback
Published in Jun 2024
Publisher Packt
ISBN-13 9781804611265
Length 168 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
James Leyte-Vidal James Leyte-Vidal
Author Profile Icon James Leyte-Vidal
James Leyte-Vidal
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Part 1: Introduction and Setup
2. Chapter 1: Password Storage: Math, Probability, and Complexity FREE CHAPTER 3. Chapter 2: Why Crack When OSINT Will Do? 4. Chapter 3: Setting Up Your Password Cracking Environment 5. Chapter 4: John and Hashcat Rules 6. Part 2: Collection and Cracking
7. Chapter 5: Windows and macOS Password Cracking 8. Chapter 6: Linux Password Cracking 9. Chapter 7: WPA/WPA2 Wireless Password Cracking 10. Chapter 8: WordPress, Drupal, and Webmin Password Cracking 11. Chapter 9: Password Vault Cracking 12. Chapter 10: Cryptocurrency Wallet Passphrase Cracking 13. Part 3: Conclusion
14. Chapter 11: Protections against Password Cracking Attacks 15. Index 16. Other Books You May Enjoy

How are passwords stored and used?

While it may seem simple, how a password is stored on a system can have a huge effect on its ability to be recovered via password-cracking operations and how long this can take.

You don’t always need to crack!

Most passwords are stored in authentication systems via some process that renders the password difficult to recover. However, it is not unheard of to come across systems that do not protect user credentials appropriately. You may recall that earlier in this chapter, we discussed the RockYou breach. In the case of RockYou, the company stored user passwords in plaintext (no hashing or encryption), which made recovering user passwords trivial. This meant that once user passwords were made publicly available, they were completely exposed – no password cracking or other complex operations were required; they were simply there for the taking.

Let’s talk about the two types of responsible password storage that we typically see: hashing and encryption.

Hashing

The idea behind password hashing is to store the user’s password so that it cannot be retrieved by anyone. There are several advantages to this approach:

  • For the company that stores the password, this represents a strong level of due diligence and may provide some protections legally
  • Passwords cannot be reverted to plaintext (the original password) from hash values, which means malicious insiders with access to the password storage cannot retrieve the password
  • The existence of standard functions to perform this hashing in many application frameworks means it is easy to implement

At its core, hashing takes a string of plaintext (the password) and converts it into a fixed-length string of unreadable data. This value cannot be reverted to plaintext, which is one of the core differences between hashing and encryption. Also, this hashing process will always return the same value for the same input; this is known as being deterministic. Some types of hashing can also add a salt, which adds additional entropy (randomness) to the generation of the hash value. This salt will be different for every password, which can negate the effectiveness of precomputation attacks – a type of attack that generates all possible hashes in advance of a cracking operation (you may have heard of rainbow tables, which are one type of precomputation attack). Hashing algorithms vary in terms of the number of rounds (hash operations) used to create the hash to be stored, the output length, and several other factors. We will discuss various hashing algorithms later when we dive into different types of password retrieval.

In the case of hashing, passwords are validated during the authentication process by taking the password from the user, hashing it, and comparing it against the stored hash. If they match, the password is correct; if they do not, the password that was entered was incorrect. Once again, hashing further protects the plaintext password during this process by ensuring the plaintext password is never handled by the system after hashing.

Encryption

Encryption differs from hashing in that the ciphertext (the product of the encryption algorithm) can be reversed back to the original plaintext (the password). To do this, one or more encryption keys must be generated and used for encrypt and decrypt operations.

Encryption has some liabilities for use as password storage. The most prominent one is that the ciphertext is reversible, which means that a malicious insider or an external party can retrieve the plaintext passwords if they can obtain the ciphertext and the encryption key(s). Additionally, because it is used in encrypt and decrypt operations, the key(s) must be retrievable, which further increases the potential for mishandling and/or disclosure of the keys.

Easy check for encryption as password hashing (or worse)

Have you ever forgotten a password and used a Forgot Password link or workflow in an application? Odds are, you probably have. If you have ever used the Forgot Password functionality and had your password sent to you via email or some other cleartext method (rather than being prompted to set a new password), this means that your password is stored on that system in an encrypted format. If password hashing was in use, they would not be able to retrieve your plaintext password.Well, there’s one other possibility – the system is storing your password in cleartext, similar to what RockYou did. We have seen how that is a very bad idea, but unfortunately, it is sometimes done.

In the case of authentication with encrypted passwords, the ciphertext can be compared (similar to authentication with hashing in use), or the password can be decrypted and compared to validate the password provided by the user.

While encryption has been noted here for completeness, it is not at all optimal to use encryption for password storage and is not recommended in the NIST 800-53 standards.

You have been reading a chapter from
Ethical Password Cracking
Published in: Jun 2024
Publisher: Packt
ISBN-13: 9781804611265
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image