Passwords: Hashing, Cracking, and Protection

Passwords: Hashing, Cracking, and Protection

Did you know that there are around 2,200 cyber-attacks every day, which is close to a million every year? Chances are, you’ve probably been a victim of one of these attacks sometime in your life. For instance, you may have received email notifications that somebody logged in to one of your social media accounts at a certain time and location. Personally, it has happened to me a few times and made me think twice about my passwords. Were they too short? Too common? Or are attackers simply becoming very advanced? These questions got me interested in learning more about passwords and their security.

Authentication

Authentication is defined as the act of verifying if someone is who they claim to be. There are several ways of authenticating a user into a system such as biometric, multi-factor, token, and more. While these methods can be extremely sophisticated, they can be costly, lack accessibility and integration into existing systems. This means passwords remain the most common form of authentication and won’t be going away anytime soon.

Password Hashing

Password hashing is defined as transforming a password into an unintelligible series of numbers and letters through a hashing algorithm. Passwords should always be hashed and never stored as plain text in a database. In case of an attack (for instance a SQL injection), your password will not be exposed and will not be useful to an attacker since hashing is one-way (irreversible). That means, a password can be hashed but a hashed password can’t be turned into plain text – or would be very difficult. We call this computably infeasible.

Hashing Algorithms

Hashing algorithms have the following properties:

• They are fast to compute hash values. This is not necessarily good since it would give attackers an advantage in quickly testing out a large number of combinations.
• A small change in the message should extensively change the hash values. The new value should not appear correlated to the old hash.
• The hashes are fixed in length.

There are numerous hashing algorithms. Some common ones include:

• SHA-1 (Securing Hashing Algorithm)

  • Outputs a 40-digit (160 bits) hexadecimal number. SHA1(“hello”) = “aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d”. SHA1(“hello!”) = “8f7d88e901a5ad3a05d8cc0de93313fd76028f8c”.
  • Notice the same length and extensive differences!

• SHA-256

  • Outputs a 64-digit (256 bits) hexadecimal number.
  • Improved security over SHA-1.

• MD5

  • Outputs a 32-digit (128 bits) hexadecimal number.

SHA-1 is considered weak today. Since 2005, there are powerful enough computing resources to find a collision. This happens when 2 different inputs provide the same hash because this number is finite! This means finding SHA-1(something) = SHA-1(something else). An attacker could use a different password and still gain access to an account, something we definitely would not want.

Think about the birthday paradox – if there are 23 people in the same room, what is the probability of 2 people sharing the same birthday? The idea is to calculate the probability of 2 persons not sharing the same birthday. This is equal to 365/365 * 364/365 * … * 343/365 = 49.3%. So, 100% - 49.3% = 50.7%!

Some other password hashing algorithms include bCrypt, Argon2, PBKDF2, and more. These algorithms are slower and offer GPU resistance against cracking tools.

To add an extra layer of security we can also “salt” the password. This is done by adding a few random bits to the password before it is hashed to further increase its security.

Password Cracking

From an offensive perspective, an attacker can use several techniques to crack passwords. Some common ones include:

• Brute force: try every combination of characters. It is powerful on passwords that are short and lack diversity.
• Mask: a variant of brute force which matches patterns such as trailing numbers, the first letter capitalized, etc…
• Dictionary: use a word list to guess the password. This list may include common passwords.
• Hybrid (advanced technique): a combination of brute force and dictionary to apply rules on the wordlist. The rules inform the cracking tool to perform targeted mangling and modify the word in a certain way.
• Rainbow: use a list of pre-computed hashes of dictionary words to crack passwords.

These techniques are implemented by numerous password-cracking tools such as:

• John the Ripper: a CPU-based password-cracking software.
• HashCat: a GPU-based password-cracking software (similar to John the Ripper).
• Aircrack-ng: a network tool to sniff and crack WEP, WPA, or WPA2 passwords.
• THC Hydra: also a network login cracking tool based on HTTP-Proxy, MySQL, SMTP, SSH, Telnet, and more.
• L0phtCrack: A tool used for password recovery and cracking primarily on Windows devices.

Password Protection

As cyber-attacks become more sophisticated, it is important to strengthen your credentials. Here are some (perhaps obvious) tips:

• Use strong passwords:
  • Try to keep them over 10 characters.
  • Use a mix of symbols, upper-case & lower-case letters, and digits.
  • Stick to unpredictable patterns and avoid common sequences of words – a dictionary attack could quickly crack them!
  • Avoid common patterns. For example, passwords starting with an upper-case letter, followed by lower-case letters, and ending with a symbol are very common.
• Use a password manager:
  • Ensure you are not re-using passwords.
  • Some of them have built-in password generators.
• Use 2-factor authentication:
  • Even if an attacker gets hold of your password, having a second layer of authentication (such as a text message, email, face recognition, fingerprint scan & more) will prevent them from accessing your account.

If you are a developer, consider the following:

• Integration with Captcha:
  • It slows down brute force attacks.
  • It requires OCR (Optical Character Recognition) Technology.
• Lock out accounts after multiple failed login attempts:
  • You have probably seen this with smartphones.
• Limit access:
  • If an account is compromised, try to ensure the attacker can only perform limited actions.
• Use hash and salt passwords.

Thank you for your attention. I hope this will give you second thoughts about your passwords!