A very interesting topic in the field of IT security is password cracking. The password is the number one means of authentication on the Internet and is used on almost every website where it is possible to create your own account. Since most users use passwords that are too short and too weak, the brute force attack has become very popular with criminals.
Cracking passwords with the brute force attack
The brute force attack works by trying all combinations of a password. Due to the ever-increasing computing power of current graphics cards, criminals manage to try out many possible passwords in a relatively short period of time. A standard method to store passwords in your own data sets, but also to encrypt passwords during authentication is the so called hashing.
With hashing the entered password is transformed into another string, so that someone who knows the hash cannot deduce the original password. The special thing about hash functions is that the same password leads to the same hash, but as soon as one character in the password is changed, the string of the hash looks completely different.
For example, the hashes of the words Passwordd and passwordt The MD5 hash looks completely different and does not allow any conclusion about the hashed word.
For attackers it is now very interesting to find out the password, but for this the attacker first needs the hash, so that he can compare it later on. Through public WLANs e.g. attackers can intercept hashes and thus try to find the corresponding password. Instead of the password, the attacker only sees a long, random-looking combination of letters and numbers.
An attacker who now wants to guess the password of his victim tries all possible passwords and hashes them with the same method as the server does. The obtained string is compared with the intercepted or stolen hash and thus it can be determined whether the used combination corresponds to the real password.
What is a password hash anyway?
With the help of Password Hash it is possible to store passwords securely. As long as passwords are still used and required for authentication, as long as one has to think about the secure storage of passwords! But what is behind a hash and how does it work together with Salt and Pepper to achieve more security when storing passwords??
What is shown in the upper part of the infographic: Password Hash?
In the first section of the graphic the basics are explained. So why passwords are worth protecting. Furthermore never in plain text stored as a password, but as a hash. The calculation of the password hash is a mathematical function that transforms the password. In particular, it is a cryptographic function – or also called one-way function.
The calculation of the password to the hash is simple – but not the other way around. If passwords are entered, not the password is compared, but the calculated hash is compared with the one stored in the database. A collision occurs when two different passwords have the same hash. This should not happen in practice – but cannot be ruled out theoretically, since a hash has a fixed length – a password, however, rarely does.
Different cryptographic functions work differently well. In the infographic, good cryptographic functions are represented as a green comet. Less good ones are orange and the bad ones are reddish resp. marked in red. The age of such hash functions plays an important role, as the increasing computing power allows to perform more calculations faster. Thus, supposedly secure hash algorithms will be computable in the future.
Download infographic Password Hash [PDF] – [PNG]
What is shown in the lower part of the infographic: Password Hash?
The lower part of the infographic is dedicated to the issues of how to fall victim to an attack despite storing the password as a hash. Here, the infographic explains the most common methods:
Furthermore, the salt is mentioned, which gives the hash an additional plus in security. In addition, the Pepper also finds mention. In the bottom part of the infographic it gets a bit more special. There z.B. Developers advised never to implement cryptographic functions themselves. The custom hardware attack and GPU resistance is mentioned at the end. Some of the representations of the hashes are unfortunately not up to date (z.B. SHA-1). But the explanations prompted us to share this infographic.
A password hash protects user and platform!
Passwords are an easy way to map user authentication. However, storing a password securely in the long term so that it is not lost even if the data is stolen is a complex undertaking. Thanks to this infographic the mystery of secure password storage opens up a bit. The arrangement of the elements in this infographic makes sense, as it gets more and more complex.
Current performance based on MD5
One hash method that is now considered insecure, but is still commonly used is MD5. In the following table you can see how long a normal laptop without the addition of a graphics card needs to crack a 6, 7, 8, 9 or 10 digit password:
|7-character password||0.47 minutes|
|8-character password||33.9 minutes|
|9-character password||40.7 hours|
|10-character password||122.1 days|
In this calculation we assume a character set of 72 characters per digit. This includes 10 digits, 52 letters (lower and upper case), 10 special characters (more are hardly used in practice).
It quickly becomes apparent that a password length of more than 9 characters can only be cracked with great effort. However, for the above table we have only used a laptop that has approx. 875MH/s creates. MH is the parameter and means MegaHashes, this is the number of hashes that can be generated per second. A laptop of the approx. 875 MH/s, can accordingly generate 875.000.Generate 000 hashes per second.
If you want to test yourself how strong your graphics card or notebook is, you can easily run a benchmark test with hashcat. After you have installed hashcat on your system you can use the command: hashcat -b
Different possibilities of hashcat
In the upper GIF you can see the benchmark mode in the tool hashcat. With this mode it can be measured how many hashes can be generated per second in the respective procedure. MD5 is an older method and therefore hashes are generated much faster with this method than bspw. with the sha512crypt.
There are several other modes in the tool hashcat, with the command hashcat -h we get a detailed description of what configuration options are available to us. We will take a closer look at the different attack modes in the following:
- Brute force attack: The simplest but nevertheless promising attack is the brute force attack. In hashcat the brute force attack is in mode 3. Mode 3 is defined as mask attack, where brute force attack is a special form of mask attack. Beside the mode we need information about the method used to hash the hashes we want to crack with this attack. Mode 0 stands for MD5. A txt file with the hashes to be cracked should also be ready to start the attack. Hashcat needs the number of characters of the passwords to be tried and also which characters to use. Since in a brute force attack any character can be used we use ?b as fixed variable. The attack can be started with:
hashcat -a 3 -m 0 /local/file/with/hashes.txt ?b?b?b?b?b?b
In this example we assume a 6-character password, which can contain any character in any position.
- Combinator attack: The next attack, the so-called Combinator attack, is located behind mode 1. For this attack we need two different word lists. The lists can be supplemented by different setting options, e.g. -j "$&" inserts before each word of the 2. Word list one& characters one. The Combinator attack now creates a large word list from the two word lists by using the respective combinations as one word.
hashcat -a 1 -m 0 /local/file/with/hashes.txt /local/wordlist1.txt /local/wordlist2.txt -j "$&"
- Dicitionary attack: As the name already says, the dictionary attack uses a dictionary. Almost any word list can be used for this, the special thing is that hashcat already provides some rules that can be used to use the dictionary in such a way that as many hashes as possible are cracked. By adding the -O option the attack will be executed much faster, but only passwords up to 27 characters long can be cracked.
hashcat -a 0 -m 0 /local/file/with/hashes.txt /local/wordlist.txt -O
- Hybrid attack: The hybrid attack combines a mask attack, which we have already learned about as a brute force attack, with a dictionary attack. The problem of a mask attack is that with a password length from approx. 8 characters the duration can be very long. With the hybrid attack a word list is combined with a mask attack, so that e.g. is tried out from September0000 to September9999. For this, unlike the brute force attack ?b is used but ?d, which is used for the numbers 0-9. With mode 6 the iteration is performed after the word and with mode 7 before it.
hashcat -a 6 -m 0 /local/file/with/hashes.txt /local/wordlist.txt ?d?d?d?d
- Mask attack: We have already learned about the mask attack in the form of the brute force attack. But besides ?b, which stands for all characters and ?d, which stands for the digits, there are some other predefined variables that can be used for password cracking
hashcat -a 3 -m 0 /local/file/with/hashes.txt ?u?l?l?l?d?d?d?d
Cracking passwords with new graphics cards
The above numbers can already seem scary, because a 6-digit password hashed with MD5 can be cracked by a single MacBook within seconds. To increase the number of hashes that can be generated per second, graphics cards are used.
There are various pages on which current benchmarks with various graphics cards are listed. An example is the GitHub repository of the user siseci, but also other sites like e.g. onlinehashcracks.
In the GitHub repository a setup is listed, which is composed of ten Nvidia GTX 1080 Ti. A single Nvidia GTX 1080 Ti can do about 35000 MH/s, combined together MD5 hashes can be generated with about 355 GH/s. The cost for this setup was about 10000€, this provides about the following numbers for password cracking:
|Passive||The found vulnerabilities are not exploited. The attackers themselves are additionally difficult to detect, because tools are used that leave little or no traces behind.|
|Carefully||A found vulnerability is only exploited if the impact on the system can be almost ruled out. The protection goals of the IT security (integrity, availability and confidentiality) are to be preserved.|
|Weighing||Found vulnerabilities are exploited specifically and after consultation. A system compromise can be caused. This test should only be performed on test systems.|
|Aggressively||The risk to violate the protection goals of the IT security is ignored. All vulnerabilities found are exploited. Complete compromise of the system is the goal. Recommended only on isolated test systems.|
In this calculation we assume a character set of 72 characters per digit. This includes 10 digits, 52 letters (small and capital), 10 special characters (more are hardly used in practice). This system also shows why short passwords become more insecure every year. The ten Nvidia GTX 1080 Ti mentioned above are by far not the fastest graphics cards on the market anymore. The currently most powerful graphics cards from Nvidia, the RTX 3080 series, manage 54033 MH/s. This corresponds to an increase in performance of over 50%. Therefore it is important to consider that it becomes easier for attackers to guess shorter passwords with every year, because the computing power of current PC hardware increases with every year.
Do not miss any more contributions – register now
Enter email now, confirm and never miss a post!
Cracking passwords – protection for your own passwords
These examples have shown how important it is to use a long password. Even current hash methods can be cracked with enough computing power so that your password is stolen. The easiest way to protect yourself is to use sufficiently long passwords. We have seen that with different setups passwords under 10 characters do not offer proper protection.
Our recommendation is to choose a password that consists of at least 12 characters. In addition, this password should not be reused, so that in the event that your password has been cracked only one account can be stolen.