How hackers crack passwords and why you can’t stop them
Breaking passwords from hashed password files
If all a company’s passwords are cracked at once, it’s usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.
These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can’t be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.
Attackers who get their hands on a hashed password file use something called “rainbow tables” to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.
Attackers who aren’t password-cracking experts themselves can outsource. “I can rent these services for a couple of hours, a couple of days, or a couple of weeks — and usually that comes with support, as well,” Contos says. “You see a lot of specialization in this space.”
As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. “Based on my experience of how people create passwords, you’ll usually crack 80 to 90 percent in less than 24 hours,” he says. “Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks.”
This is especially true of any password that is created by humans, instead of randomly generated by a computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it’s no replacement for strong MFA.
Stolen hash files are particularly vulnerable because all the work is done on the attacker’s computer. There’s no need to send a trial password to a website or application to see if it works.
“We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms,” says Justin Angel, a security researcher at Coalfire Labs. “It isn’t uncommon for us to recover thousands of passwords overnight using this approach.”
Botnets enable mass-market attacks
For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.
According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. “Past breaches of companies like Yahoo have created massive databases that criminals can use,” he says.
Often, those passwords stay valid for a long time. “Even post-breach, many users will not change their already breached password,” says Roman Blachman, CTO at Preempt Security.
Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. “They try logging into every single one of the email addresses with the most common password,” he says. “So each account only gets one failure.”
They wait a couple of days and then try each of those email address with the next most common password. “They can use their botnet of a million compromised computers, so the target website doesn’t see all the attempts coming in from a single source, either,” he added.
The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.
Standards-setting bodies are stepping up, as well, says James Bettke, a security researcher at SecureWorks. In June, NIST released a set of updated Digital Identity Guidelines that specifically address the issue. “It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords,” he says. “Password fatigue causes users to reuse passwords and recycle predictable patterns.”
The FIDO Alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. “Static passwords are not safe nor are they secure,” he says.
Is your password already stolen?
To target an individual, attackers check if that user’s credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. “The LinkedIn breach a few years back is a good example,” says Gary Weiss, senior vice president, and general manager for security, analytics, and discovery at OpenText Corp. “Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media.”
The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That’s too many passwords to remember, so most people use just one or two passwords, with some simple variations. That’s a problem.
“There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected,” says Emmanuel Schalit, CEO at Dashlane Inc. “This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.” (You can see if your password-protected accounts have been compromised at have I been pwned?.)
Once any one site is hacked and that password stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. “You might have a very good password on your bank or investment account, but if your Gmail account doesn’t have a good password on it, and they can break into that, and that’s your password recovery email, they’ll own you,” Cottrell says. “There’s a number of high profile people who have been taken down by password reset attacks.”
If they find a site or an internal enterprise application that doesn’t limit login attempts, the will also try to brute-force the password by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.
Commercial services are available in the criminal underground that use more sophisticated algorithms to crack passwords. These services have been greatly helped by the continued leaks of password files, says Abbas Haider Ali, CTO at xMatters, Inc.
Anything a human being can think of — replacing letters with symbols, using tricky abbreviations or keyboard patterns or unusual names from science fiction novels — someone else has already thought of. “It doesn’t matter how smart you are, human-generated passwords are completely pointless,” he says.
The password-cracker apps and tools have become very sophisticated over the years, says Ntrepid’s Cottrell. “But humans haven’t gotten much better at picking passwords,” he says.
For a high-value target, the attackers will also research them to find information that can help them answer security recovery questions. User accounts are typically just email addresses, he added, and corporate email addresses, in particular, are very easy to guess because they are standardized.
How to check the strength of your password
Most websites do a very poor job of telling users whether their chosen password is strong or not. They are usually several years out of date, and look for things like a length of at least eight characters, a mix of upper- and lowercase letters, and symbols and numbers.
Third-party sites will gauge the strength of your password, but users should be careful about which sites they use. “The worst thing in the world to do is go to a random website and type in a password to have it test it,” says Cottrell.
But if you’re curious about how long a password would take to crack, one website you can try is Dashlane’s HowSecureIsMyPassword.net. Another site that measures password strength, checking for dictionary words, leet-speak, and common patterns, is the Entropy Testing Meter by software engineer Aaron Toponce. He recommends choosing a password with at least 70 bits of entropy. Again, he recommends not typing your actual passwords into the site.
For most users — and for the websites and applications they log into — this creates a problem. How are users expected to come up with unique passwords for each site, and change them every three months, long enough to be secure, and still remember them?
“A rule of thumb is, if you can remember it, it isn’t a good password,” says Cottrell. “Certainly, if you can remember more than one or two of them, it isn’t a good password — it’s always a couple of words and the name of the website.”
Instead, he says, use a randomly generated password of the longest length the website allows and store them using a secure password management system. “I have more than 1,000 passwords in my password vault, and they’re almost all over 20 characters,” he says.
Then, for the master password for the vault, he uses a long passphrase. “It should not be a quote or something from any book, but still memorable to you,” he says. “My recommendation for memorability is that it should be extraordinarily obscene — which also make it less likely that you’ll go and tell anyone. If you’ve got a 30-character phrase, that’s effectively impossible to brute force. The combinatorics just explode.”
For individual passwords for websites or applications, 20 characters is a reasonable length, according to Cyril Leclerc, Dashlane’s head of security — but only if they’re random. “Crackers will be able to crack a human-generated password of 20 characters,” he says, “but not for a randomly generated password. Even if someone had computers from the future with unlimited power, the hacker would potentially only be able to crack a single password, and only after spending an astronomical amount of time on the task.”