What is password cracking?

What is the main goal of password cracking?

The main goal of password cracking is to determine and unscramble a password, often for malicious purposes. The password may belong to a user or to an admin. The payout is often higher for cracking an admin's password because it allows the interloper to gain access to privileged systems and sensitive data. For this reason, cracked passwords are important attack vectors in data breaches and privilege escalation attacks.

With the information gained using password cracking, malicious actors can undertake a range of criminal activities. For example, they can use an authorized user's password to steal their banking credentials and even their money. Or they may use the information to steal a user's identity information. Another common application of password cracking is to commit some sort of fraud.

What does a password cracking attack look like?

Most password cracking attacks involve these four steps:

1. Choose a cracking methodology, such as a brute-force, dictionary or credential stuffing attack.
2. Select a cracking tool.
3. Prepare the password hashes for the cracking program. This is done by providing an input to the hash function to create a hash that can be authenticated. Hashes are mathematical functions that change arbitrary-length inputs into an encrypted fixed-length output.
4. Run the cracking tool.

At the end of the process, the threat actor may be able to determine passwords and then use them to perpetrate further attacks. A password cracking tool that's powerful enough may even be able to identify encrypted passwords. After retrieving the password from the computer's memory, the program may be able to decrypt it. Or, by using the same algorithm as the system program, the password cracker creates an encrypted version of the password that matches the original.

What are password cracking techniques?

Password crackers may use many different methods to identify correct passwords. The most common methods include the following:

• Brute force. This method involves using automated scripts that run through combinations of characters of a predetermined length. Simply put, the script tries out multiple password combinations until it finds the combination that matches the password. Brute-force cracking works best for short or common passwords because such weak passwords are easier to guess by the script.
• Dictionary search. In this method, a password cracker searches each word in the dictionary -- a list of common words or phrases -- to find and reveal the correct password. Password dictionaries exist for a variety of topics and combinations of topics, including politics, movies and music groups. The cracker automatically checks each word or phrase in the dictionary until it arrives at the correct password.
• Credential stuffing. Credential stuffing is an automated method that involves simultaneously trying known credentials on multiple sites with the goal of gaining unauthorized access to those sites. These credentials are often stolen in data breaches, and threat actors purchase them over the dark web. Credential stuffing takes advantage of the tendency of users to reuse the same password for multiple accounts, creating opportunities for bad actors to launch large-scale intrusions and cyberattacks.
• Malware. Malware such as keyloggers, which track keystrokes, or screen scrapers, which take screenshots, enable malicious actors to gain unauthorized access to passwords without using a password cracking tool.
• Phishing. Threat actors use phishing attacks to gain access to user passwords without having to use a password cracking tool. Instead, a user is fooled into clicking on an email link or downloading an attachment. The attachment could install malware on the user's computer that steals their password, while the link prompts the user to sign in to a false and unsafe version of a website, once again revealing their password .
• Rainbow table. This approach involves using different words from the original password in order to generate other possible passwords. Malicious actors use a rainbow table, which is a list containing leaked and previously cracked passwords. The list enables hackers to easily look up passwords for a given hash. This method is particularly effective to crack poorly encrypted passwords.
• Guessing. An attacker may be able to guess a password without the use of tools. If they have enough information about the victim or if the victim is using a common enough password, they may be able to come up with the correct characters.

Some password cracking programs may use hybrid attack methodologies that combine the features of brute-force and dictionary attacks. In a hybrid attack, the program searches for combinations of dictionary entries and numbers or special characters appended to the end of the password. For example, it may search for ants01, ants02, ants03, etc. After adding many combinations of these characters, the program tries them in turn until it lands on the correct password.

What are password cracking tools?

The most popular password cracking tools include the following:

• Ophcrack. Ophcrack is a free Windows password cracker with a user-friendly graphical user interface. It uses rainbow tables to crack passwords and also includes a brute-force module to crack simple passwords.
• John the Ripper. John the Ripper is an open source password recovery tool. It works for many operating systems, including macOS, Linux and Windows. This tool, distributed in source code form, supports hundreds of hash and cipher types for user passwords, network traffic captures, encrypted private keys, file systems, archives and more.
• Brutus Password Cracker. Brutus is a portable password cracking tool for Windows systems. It supports various communications protocols for password cracking, including HTTP, Post Office Protocol 3, File Transfer Protocol, Server Message Block and Telnet. Also, it offers three operational modes, enabling users to choose the way they want to view cracked passwords.
• CrackStation. CrackStation is a free password hash cracker that uses massive precomputed lookup tables for cracking purposes. The tables map password hashes and their corresponding passwords and are easy to search due to the indexed hash values. The lookup table for MD5 and Secure Hash Algorithm 1 hashes contains 15 billion entries.

Is password cracking illegal?

The legality of password cracking depends on location and the cracker's intent. For example, using a password cracking tool to retrieve one's own password may be legal and acceptable. However, if the goal is to crack passwords to maliciously steal, damage or misuse someone else's system or data, it is most likely considered illegal.

Unauthorized access to another individual's device can be grounds for criminal charges. Even guessing someone's password without the use of a password cracker can lead to criminal charges. Under U.S. state and federal laws, more charges may be added depending on what the user does once they gain unauthorized access.

How do you create a strong password?

Password crackers can decipher passwords in a matter of days or hours, depending on their own capabilities and also on how weak or strong the password is. To create strong passwords that are more difficult to uncover, users should adopt the following best practices when creating a password:

• Make it at least 12 characters long. The shorter a password is, the easier and faster it can be cracked.
• Avoid easy-to-guess phrases and common passwords. Weak passwords often include something that's personally identifiable to a user, such as their name, birthdate or pet's name. Short and easily predictable patterns, like "123456," "password" or "qwerty," are especially weak passwords that should always be avoided.
• Combine letters and a variety of characters. Adding numbers and special characters, such as periods and commas, to a textual password increases the number of possible combinations, making password cracking harder.
• Avoid password reuse. A person with malicious intent could use a cracked password to access other accounts protected by the same password. This is why it's never advisable to reuse passwords across accounts.
• Pay attention to password strength indicators. Some password-protected systems include a password strength meter, which is a scale that tells users when they have created a strong password.
• Take advantage of password creation tools and managers. Some smartphones automatically create long, hard-to-guess passwords. For example, Apple iPhones create strong website passwords and then store the passwords in the iCloud Keychain password manager. When a password is required, the devices insert the password in the correct field automatically so the user doesn't have to remember what might be a complicated password.

Best practices to protect organizations against password cracking attacks

In addition to ensuring that their users create strong passwords, organizations can adopt several best practices to protect their systems and data from the password cracking attempts of threat actors, including the following:

• Encrypt all passwords. Passwords stored in a database should be encrypted. Encrypted passwords need a decryption key; without the key, an attacker isn't able to steal the password.
• Use multifactor authentication. Systems that require MFA ask users to provide multiple authentication factors, instead of just a password. With MFA, even if an attacker is able to crack a password, they aren't able to hack into a system because they don't know the other authentication factors needed for access.
• Regularly update all systems. Regularly updating systems ensures that exploitable vulnerabilities are plugged. This can stop bad actors from being able to hack into systems. Updated systems can also stop malware and keyloggers from stealing passwords.

Learn why security professionals recommend having an effective identity and access management system in place and how employee training is a key part of an effective password and overall cybersecurity strategy.