What is password cracking?
Password cracking is the process of recovering a secret from scrambled (typically encrypted or hashed) text. This very broad term encompasses many types of password storage and scrambling. As such, not all password-cracking operations are created equal – some passwords, as well as methods of password storage, are easier to crack than others. We will discuss this more throughout this book.
Password cracking can be broken down into various approaches to attempt to recover the secret:
- Dictionary-based
- Combination
- Brute force
- Hybrid
- Partial knowledge, also known as mask attacks
Let’s discuss each of these in turn.
Dictionary-based attacks
Dictionary-based attacks, as you might have guessed based on the name, use a list of words or phrases as password candidates – the potential password we will test to see if it is the correct password. This list is informally referred to as a dictionary, even though it may or may not contain dictionary words. The wordlist may not resemble a dictionary much at all. This term is mostly a holdover to earlier times when many passwords were based on dictionary words, before password complexity requirements (such as adding uppercase letters, numbers, and symbols to a password) were common.
Speaking of complexity requirements, it seems like traditional dictionary words would not be as effective as password candidates during a password-cracking operation due to complexity requirements becoming more commonplace. We’ll address that in the upcoming sections.
Constructing a wordlist for a dictionary attack can be simple or a time-consuming effort. However, in many cases, spending time upfront for a good wordlist tailored to your target may reap dividends at cracking time. The tradeoff here is that your wordlist may not be as reusable for other password-cracking situations. We’ll discuss using open source intelligence (OSINT) to help build a wordlist in Chapter 2, Why Crack When OSINT Will Do?
A good and fairly large wordlist to start with is often the RockYou wordlist. This is named after the breach of the RockYou company in 2009, where over 32 million user credentials were exposed. While available in several places on the internet, a common location to download the RockYou wordlist is https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt. This list contains over 14 million unique password candidates and is also included in many common penetration testing distributions, such as Kali Linux (available at https://www.kali.org/get-kali/#kali-platforms) and Slingshot Linux (available at https://www.sans.org/tools/slingshot/).
Combination attacks
Combination attacks take two wordlists as input and concatenate (append together) one password candidate from each list to create the password candidate for testing purposes. For example, one wordlist might contain the words word1 and word2, while the second wordlist might contain the words word3 and word4.
In this scenario, a combination attack would use a word from both lists to create potential password candidates, such as word1word3, word1word4, word2word3, and word2word4.
Current guidance from the National Institute of Standards and Technology (NIST) recommends password length over complexity for the best resistance to password cracking. This helps encourage our users to create a password that is easy to remember but hard to crack and reflects the current guidance from NIST. This can be performed by stringing several dictionary words together and adding a mnemonic to help the user remember the password. This is only one approach, but this example points out – in conjunction with the current NIST guidance – that combination approaches to password cracking may be more effective as more users follow the guidance to shift to passphrases.
That being said, some standards may slow the adoption of longer, less complex passphrases. For example, the Payment Card Industry Data Security Standard (PCI-DSS) standard, which is required for merchants processing credit card data, requires 12-character passwords, as well as letters and numbers for passwords associated with accounts that have access to cardholder data.
Brute-force attacks
Brute-force attacks do exactly what their name suggests – every position in the password candidate is filled with every possible candidate for that position. For example, if a password can only be eight characters long, a brute-force approach might attempt aaaaaaaa as the password candidate, then attempt aaaaaaab, and so on, until the possibilities for the password are all attempted – exhausted. The problem with this approach is that once a password reaches any reasonable length, the time to perform this style of attack becomes untenable. Additionally, the number of character sets available to use for the password (lowercase, uppercase, numbers, and symbols) will also greatly increase the number of guesses to complete this kind of attack.
The good news for password cracking is that it is possible to crack any password with this approach. However, the amount of time it would take with today’s computing power makes it essentially folly for larger passwords or more complex (more time-consuming for each password guess) algorithms.
Hybrid attacks
Hybrid attacks merge some of the characteristics of combination attacks and brute-force attacks. A hybrid attack uses a wordlist as its base, then modifies the words in the wordlist by adding one or more characters to the word and brute-forcing the character space associated with that. As an example, let’s say I have the following word from my wordlist:
banana
However, I know the password policies of my target require a number in every password. I might try a hybrid attack that takes my word from my wordlist and adds a number after the word. So, now, my password candidates are as follows:
banana1 banana2 banana3 banana4
This allows us to test environments more effectively where users often append (add to the end) or prepend (add to the beginning) some base dictionary word for their password.
Partial knowledge, also known as mask attacks
Mask attacks leverage the idea that we partially understand the format used to construct a password to create a brute-force-like approach that is sped up due to assumptions we make about the password format.
An example will be helpful here. Let’s say that we are testing passwords for a company that requires one uppercase character, one lowercase character, and a number for their passwords. This is a common password complexity requirement in many companies, and many users will meet this requirement by taking a word (dictionary or otherwise), capitalizing the first letter of the word, and appending one or two numbers to the word.
Incidentally, this type of password requirement, along with 90-day password rotation intervals, can lead to the dreaded season-year password, where users will set their password to the name of the current season (Spring, Summer, and so on) and append a two or four-digit year to the password (Spring22/Spring2022, Summer22/Summer2022, and so on).
These complexity requirements may lead us to construct a mask for the password that assumes the user will choose a password that starts with a capital letter, then has five or six characters of lowercase letters, and ends with two or two digits from base10 numbering (0-9). This mask will attempt to brute-force any passwords meeting these lengths and criteria. While this will not retrieve every password in a given list, this approach historically yields high percentages of cracked passwords since this approach is a common one for users to take when constructing passwords.
Important note
We will suggest better methods for password construction and mitigations in Chapter 11.
