Click here to Skip to main content
15,890,123 members
Search within:


Articles / All Topics
 
Technical Blog
View Original

How Hackers Crack Passwords (Part 1)

Rate me:
Please Sign up or sign in to vote.
3.15/5 (10 votes)
28 Nov 2016CPOL5 min read 9.2K   6   12
How hackers crack passwords (Part 1)

All Memorized Passwords Are Inherently Weak

If you can memorize your password, it is because it is most likely based upon a mnemonic (memory device).

If your password is based upon a memory device, it is most likely based upon a natural language (English, Spanish, etc.) word. Humans tend to memorize based upon words since it is how we communicate.

Word-based Passwords Are Inherently Weak

However, if your password is based upon a word, it is weak.

But, why is that true? To understand the reason that word-based passwords are weak, we must take a look at the methods that hackers use to crack passwords.

One Way Hackers Crack Passwords

Brute Force Attack

Here are the steps that the hacker uses to do that:

  1. Obtain the site's database of passwords
  2. Generate passwords from a natural language dictionary of words
  3. Compare each generated word against the stolen database of passwords until successful

It's a little more difficult than this because most sites do not store their passwords in clear text but instead they also hash those passwords.

What's A Hash?

You can think of a hash as a one-way encryption technique.

That means the computer algorithm takes an input and will turn that exact input into one and only one output.

A simple diagram of this might look like the following:

hash algo diagramImage 2

In our example above, we use the ClearText (unencrypted) input of the letter a.

I've made the Hash Algorithm (in this case, we are using SHA256 - Secure Hashing Algorithm) a black box in the diagram because we do not need to know the implementation details of how it works.

Every time we input the value a into the SHA256 algorithm, we are guaranteed the output shown on the right.

That value becomes a unique identifier for the value a.

One-Way Encryption : Hash

We can think of this as a one-way encryption. But why do we call it a one-way encryption? That's because it is unfeasible that anyone can reverse the process to turn the hash value (ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb) back into the ClearText (the letter a in our case).

No Known Way To Reverse the Hash Value

Let me say that again. There is no known way to take the hash value and calculate what the original ClearText input was.

That's the power of a secure hashing algorithm.

For Every Input, There Is A Unique Output

Along with that, the hashing algorithm also guarantees that two different inputs will never produce the same hash output.

Even if the value is only changed by 1 bit of data (1/8th of an ASCII character as it is stored on a computer).

That means if you hash the two long ClearText values shown below which differ by only one character, the output hash will not be similar at all:

ClearText Hash
<font size="2">thisIsAReallyLongMessageForTestingTheHash</font> <font size="2">9ef787ac41ec34065c69fecd7413a17ea5765ef1dc58f38d2e51d78917c5d371</font>
<font size="2">thisIsAReallyLongMessageForTestingTheHash2</font> <font size="2">4a12d57aa0803a16ee84a82ec102686e9130918168327ad4ddee6ba66716a0ad</font>

Most Sites Hash Your ClearText Password

This is how most modern sites now store your password. They create a hash from the ClearText password that you've given them. They then store that hash in their database along with your userId so they know which one it is associated with.

This guarantees that no one can ever reverse the hash and discover your password.

Weak and Common Passwords

If you've been following along, you may have thought about how you could go about attempting to break this.

Since a specific ClearText message produces only one SHA256 hash, you could create hundreds of passwords, hash them and then compare those hashes to what is in the site's database of passwords.

But this only works for weak and common passwords.

Dictionary Attack

That's exactly what the hackers do. They generate hashes from every word in the natural language dictionary.

Let's look at an example table of how the hacker might do this (but of course, you'll have to imagine that I have every word from the English dictionary available to me as the hackers do).

ClearText Hash
aardvark cf9c1cb89584bf8c4176a37c2c954a8dc56077d3ba65ee44011e62ab7c63ce2d
aphorism 9238993bf1898c1a0de5f4f04c1a23000e848097b532a543dced7687444ea758
battery f3d1701e1d575e1294786989517866986bc97343e07af63e201f46ba0be5806a
chinchilla 2180cc6f060cdfb71a458b60f404f56d682abaf7efd3df81a957684ab3803f18
despise 9272459bf48061da35d110383b95e5c3287320e40093a07e16227a719efede0c
earth 7b74b418a352d67108173c20c1b16b4b726bad8606be65711ff924dbf9a40670
flavor b5d2f4515ba34f2f83f3a84e6958769f2b89b5ceca3fdfe1b4303eead3507daa
grind 3026fac023c67598797c8c7da4ac6cf653f832b2c9de761d3922fb85ea086b1c
password1 0b14d501a594442a01c6859541bcb3e8164d183d32937b851835442f69d5c94e

Common Passwords

This is also why using a password that is commonly known to hackers, like password1, is so dangerous.

Modern Computing Power

Modern computing power means that hackers can generate hashes for millions of possible passwords and compare each one of those hashes to their stolen password databases in very little time.

Salting the Hash

There is another element of security that is generally applied to this also called salting the hash that would further scramble the hash, but I won't go into that here.

What Does This Mean?

This exposes the fact that passwords based upon natural language words are much weaker since the attacker can use all the words in the dictionary to generate passwords, hash them and check them.

Main Point

However, if your password was not based upon a word, it would be far less likely to be hacked.

This leads us to the fact that you really should create your passwords from some random list of characters and numbers.

For example, no hacker could guess your password is:

bdb7085c1cd90f6cc1f44856131a56535c0e493188dc6919b0ef8e3b7cffaf8d

The hacker is not even going to try that, because it would take her too long to even mess with creating an algorithm that checks an almost infinite list of hashes. There isn't enough computing power in the world to make this effective.

That is why your passwords should themselves be based upon a cryptographically strong hash.

That's what CYaPass does for you.

How Could You Remember Your Password?

It is unlikely that you could remember that hash above. Of course, there are people who can do it. But that would be more of a pain than just using the passwords you already use.

That's why you should use C'Ya Pass and forget all your passwords.

C'Ya Pass Generates Cryptographically Strong Hashes For You

All you have to do is

  1. Supply a site/key (to help you remember what the password is used for)
  2. Draw a pattern

C'Ya Pass will generate a password for you that is a SHA256 Hash. That long password will be your actual password which will then (most likely) be hashed again by the target site you are logging into.

Then, if the site you are logging into ever gets hacked, it is unfeasible the hacker would be able to generate your original long hash password and be able to hack you.

That's how C'Ya Pass makes your passwords stronger and makes it so you never have to memorize a password again.

cyapass overview

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
raddevus
Software Developer (Senior) RADDev Publishing
United States United States
"Everything should be made as simple as possible, but not simpler."

Comments and Discussions

 
First Prev Next
QuestionGood idea Pin
irneb1-Dec-16 19:39
irneb1-Dec-16 19:39 
Your method gets something reasonably well sorted out. What a user wants from a password is something reasonably easy to do, something they can easily redo at some later stage. And I congratulate you on making something so simple to use.

Though it's not exactly ground breaking. And not exactly infallible, especially not on the actual security side of the equation.

You're effectively using a pattern instead of a word. Then generating a hash from that, and sending that hash as the clear text. It's certainly a lot better than typing a similarly easy to remember word as the password. Actually the pattern is analogous to a character - it's just a set of indexes to the boxes encoding a glyph. But the biggest problem with the shape idea is that it shouldn't be used in public areas - too easy for other people to see the shape as you draw it on a screen.

If the cracker knows that you've used such program to generate the password, it's not exactly much more difficult than a dictionary attack. There's certain shapes which everyone tends to draw. Not to mention, few would draw such a shape in discontinuous lines overlapping each other several times. Once they've listed some of these shapes it becomes the same process of generating the hash using the same algo as your program does, then running it through the password-hashing generator in the same way a dictionary attack works. If such shapes are more numerous than the possible words and combinations of words is not something I've seen as being conclusively studied. AFAICT it's just adding an extra process onto the exact same idea, i.e. like having a key to open a box in which you've locked the key to your house.

I'd advise users to draw several shapes over one another, varying one shape flowing into another through a continuous line and others by lifting their finger / unclicking the mouse, but that's similar to stating that they should type several words instead of just one. I.e. the more "secure" it tries to be, the more complicated it becomes to use.

I still feel that a multi-phase access is more usable and safe. Though IMO your idea is at least as secure as the normal passwords system, probably a bit better, though by how much I cannot tell (would need some test data to be objective on this).
AnswerRe: Good idea Pin
raddevus2-Dec-16 8:17
mvaraddevus2-Dec-16 8:17 
GeneralRe: Good idea Pin
irneb2-Dec-16 17:09
irneb2-Dec-16 17:09 
GeneralRe: Good idea Pin
jaf212-Dec-16 4:13
jaf212-Dec-16 4:13 
GeneralRe: Good idea Pin
raddevus12-Dec-16 4:21
mvaraddevus12-Dec-16 4:21 
SuggestionRe: Good idea Pin
jaf212-Dec-16 5:15
jaf212-Dec-16 5:15 
GeneralRe: Good idea Pin
raddevus12-Dec-16 5:53
mvaraddevus12-Dec-16 5:53 
QuestionWhat is your thoughts on WORD+WORD and WORD+WORD.NUMBER Pin
Kirk 103898211-Dec-16 4:43
Kirk 103898211-Dec-16 4:43 
AnswerRe: What is your thoughts on WORD+WORD and WORD+WORD.NUMBER Pin
raddevus1-Dec-16 4:59
mvaraddevus1-Dec-16 4:59 
QuestionThe image is off-site Pin
den2k8830-Nov-16 2:44
professionalden2k8830-Nov-16 2:44 
AnswerRe: The image is off-site Pin
raddevus30-Nov-16 2:55
mvaraddevus30-Nov-16 2:55 
GeneralRe: The image is off-site Pin
den2k8830-Nov-16 3:01
professionalden2k8830-Nov-16 3:01 
Last Visit: 31-Dec-99 18:00     Last Update: 2-May-24 1:17Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 28 Nov 2016

Article Copyright 2016 by raddevus
Everything else Copyright © CodeProject, 1999-2024

Web03 2.8:2024-04-02:1