The Dark Art of Password Cracking  

Imagine you’ve lost your home keys. A stranger finds them and begins trying different keys to enter your home. This scenario encapsulates what password cracking is all about. Password cracking, also known as password hacking, is the process of attempting to guess or decipher a password through to gain unauthorised access to your computer systems or data. This method can allow malicious actors to access sensitive information, leading to serious crimes such as banking fraud and identity theft.  A study of 193 million passwords revealed a stark reality: only two in ten are considered secure. The majority can be cracked within an hour, often in mere minutes, and the cost to attackers is minimal. 

The ease of password cracking is attributed to various methods employed by attackers, from basic dictionary attacks—which involve comparing common words to hashed passwords—to advanced algorithms that generate and test many password combinations. The ease with which passwords can be cracked makes understanding the risks of weak password protection essential. In this article, we’ll examine the dangers of password cracking and explore ways to fortify your digital security. 

The basics of password storage 

Before exploring how passwords are compromised, it’s crucial to understand the typical methods of password storage: encryption and hashing. Encryption takes your plain text password and turns it into an unreadable form (ciphertext). Crucially, this process is reversible, meaning the password manager can decrypt the ciphertext and reveal your original password when needed. In contrast, most online platforms rely on hashing. This one-way process transforms a password into a fixed-sized key, known as a hash value, which cannot be reversed to retrieve the original password. Attackers need this hash before they can even attempt to crack your password. 

Now that we’re familiar with password storage, it’s time to look at how attackers bypass this security. 

Brute-force: Brute-force cracking relies on automated scripts that systematically test various length character combinations. Essentially, the script tries every possible password until it finds a match. Shorter and more common passwords are particularly vulnerable to this type of attack. 

Rainbow Table: A rainbow table is a pre-computed table of stolen hashes used to crack password databases that keep their information encrypted rather than in readable text or plaintext. These tables enable attackers to breach secure systems without guessing the password. 

Dictionary attack: Dictionary attacks use a list of common words, like those found in a dictionary, to guess passwords. This method targets the common tendency for people to choose easily guessed passwords. 

Spidering: Spidering is a technique where an attacker gathers information about a target, often a company, hoping to find clues about how they create passwords. The goal is to build a custom wordlist to speed up password guessing. For example, the attacker targeting a large company might look at the company’s public-facing materials, like social media or marketing campaigns, to identify potential password clues. Sophisticated hackers often automate spidering by using specialised applications. These applications, similar to the web crawlers used by search engines, automatically gather and organise information about a target, creating custom wordlists for password cracking. 

Offline cracking: Offline password cracking happens after attackers have already stolen a bunch of password hashes, often from a data breach. Because they’re working “offline,” they can take their time trying to crack these passwords without worrying about being detected or hitting login limits.  

Password cracking tools 

In addition to the techniques, attackers use specialised software programs to retrieve or uncover passwords that safeguard digital accounts, files, or systems. Popular examples include John the Ripper, Hashcat, Aircrack-ng, and Hydra. 

How good is your password hygiene? 

Develop good password habits to enhance security and prevent attempts at password cracking. Poor password hygiene can make you vulnerable to hackers. Take a moment to evaluate the security of your passwords and assess your habits.  

• Your password should be at least 12 characters long. The shorter it is, the easier it is for hackers to crack. 

• Avoid reusing passwords. Each account should have its own unique password to limit the damage if one account is compromised. 

• Identity verification can protect your account even if a password is compromised. Consider implementing email or SMS confirmation for added security. 

• For better security, use passphrases instead of passwords. Aim for a long phrase with spaces and symbols, and make sure the words are completely random. A strong example: “Crazy robot eats purple grapes quickly!” 

• Get a reputable password manager to simplify password management. But remember, your master password is the key – keep it safe! 

The legal implications 

Password cracking may be employed in authorised contexts, such as penetration testing, security audits, and password recovery (with permission). However, any unauthorised attempt to access systems or data through password cracking is a criminal offence subject to substantial penalties. 

Distilled 

Password cracking poses a significant threat, especially when users opt for weak or commonly used passwords. This vulnerability increases the risk of cyberattacks, making it essential to prioritise digital security. Robust password practices, including the use of strong, unique passwords, are crucial for mitigating this risk. Additionally, continuous vigilance and regular updates to security protocols are essential for maintaining a secure digital presence.