I have been fascinated with computer securities as of late, studying what I would consider one of the weaker points of network security, the password. Now most of you are probably saying, but my password is totally fine with it’s all lowercase letters and a few numbers at the end or letters changed to a numerical equivalent (seriously, if that is you read to the finish and then change your password accordingly).
“How would a hacker get my password?” you might ask. Various methods can be used, phishing (email’s sent pretending to be a website saying something to the effect of “please login now to verify the recent changes to your account,” “A hacker has attempted to login with your username and password, please login to…” and then of course, a link. You might become justifiably concerned and immediately click the link in the email to check. From there you hit the login screen, enter your info and login to the desired webpage. What you missed was the fact that the “official” site you were linked to was actually a web-server NOT owned by the company holding the account. You were so worried about having been compromised; you therefore unknowingly gave your password to the hacker in plain text.
Another route to demolishing passwords is via cracking, such as a brute forcer like Hashcat, Hydra, John the Reaper, etc. Direct password attacks like this have a couple different methods of being performed. An easy route would be via poor clicking techniques, such as the click through from the first example, thereby gaining control over your browser, then implementing code directly to the computer from there. One could potentially install malware, such as the ever useful mimikatz, or even full on back doors they can access at any time. Mimikatz is a useful tool for password recovery, in the right hands. However, when used illegally one can efficiently pull your passwords. This can be in either plain text or if the access isn’t privileged enough, as a hash.
encrypted passwords and their cracked plaintext during my learning, entirely from publicly available, legal sources. the number before 2013.cracked in the number of passwords cracked in a 15 second test run against a file containing over 17 million encrypted passwords.
The way that your computer stores the passwords you save (browser is a separate beast) is in what’s called a hash (exactly as you just saw in the image above). As an example I took the string “this is a hash” to a site that turns plain text into a md5 hash (most likely hash format for your passwords), The resulting md5 hash is “6e1afdb7f7c456773345d796c0d4490c.” I highly recommend going to this site (MD5 Hash Generator) and entering your password, or at the very least a similar one and clicking the generate button. We will be performing a simple audit with the hash you generated shortly.
So if you’ve decided to challenge my claim about your password potentially being easy to crack, simply navigate to Crackstation and paste your freshly generated hash into the input box and run it. This site utilizes a dictionary based password cracker (the same attack I used for 15 seconds against a massive list above) and a hell of a lot of hashing power to complete the crack. A dictionary attack requires a file that contains a multitude of passwords that have previously been cracked, or are just horribly common password fails. Crackstation is above and beyond with their dictionary as they have included the cracked passwords of all major password dumps (often posted directly to Pastebin, automatically, by the malware that you could be infected with). For those thinking this cannot possibly include you, best believe that there are numerous LARGE sites and services that have been victims of attacks that caused millions of user’s account data to be dumped. For example LinkedIn, Adobe, Tumbler, and as of last month a 68 million account data breach to Dropbox. If you have had accounts with any of these services, do navigate to Have I Been Pwned and enter in the email address you’re concerned about, it’ll check the dumped data and return how many lists you appeared on. Several of my long unused emails were found on five different breach lists. Don’t
top 10 data breeches according to haveibeenpwned.com for a complete list, click the button.
I’m betting many of you now realize that your information HAS indeed gotten out to sources that you never wanted to have it. This has a high potential to include the hashed password that you use for whichever service got your info to the open market. If this is the same password that you use for multiple services (again a surprising likelihood) then the hacker not only has the likely email used to sign up for such service (often as good as the username to the account), but now also has the password, once it’s cracked. I’d be willing to bet that a few of my readers are now paying closer attention especially if they use the same password for banking, Ebay, Facebook, etc. How much of your life could the hacker access with just one dump such as this?
To mitigate against a hacker having potentially catastrophic access to your personal info, accounts etc, one would want to ensure that their online accounts had different passwords based on the security needs. For example, Facebook, Twitter, LinkedIn and other social media accounts should necessarily NOT share a password with your security risk accounts, online banking, shopping, etc. Porno sites are super high targets of hackers who then sell access to the account online. Therefore a separate password used exclusively for that site should be considered and implemented, should you have an account.
The second tactic to use to prevent such a potentially life altering intrusion into your private life, finances, or any other type of online account is to simply build a password that wouldn’t be in a dictionary and is to time intensive for a hacker to keep invested in. To do this you need to include different types of characters. Such as using upper and lower case letter, numbers AND special characters (!@#$%^). This means the calculations required per each single character used in the password has the potential of 26+26+10+33 or 95 possibilities per each character in your password. I would highly suggest using a longer than 8 digit password to further increase it’s strength. Though it is possible to build a strong 8 digit, hashing speed has vastly increased in recent years (password cracking and bitcoin mining are identical hardware needs). If you’re interested in the possible combinations in an 8 digit long password the math is simple. Each character can be 95 possibilities. With 8 characters, that would be 95 to the 8th power, for each digit added thereafter, the possibilities increase exponentially.
math on 8 digit password using the above math
The difference between using a 10 digit password instead is a whopping 4 decimal points.
To ensure you are now selecting the strongest password you can for its cryptographic strength (it’s ability to be cracked within a reasonable time frame) go to The Password Meter and ensure that you have 4/4 instead of 3/4 (the 95 possibilities for character length in the password, exactly as). Also, remember the cryptographic strength goes up exponentially with every digit. Try a 10 digit or more password with all 4/4 checked off and then run it through the same exercise we did before. You have succeeded in evading the easiest attack, utilizing the best dictionary and can also rest easy that checking all of the minimum requirements and adding to the overall length to 10 or more will make most, if not all, hackers stop in their tracks if they ever pull it in a data breech. You will hold your head high in the VERY limited & of passwords that likely will not get cracked for a long time to come. It’ll take some VERY serious advances in video cards specifically to generate the kind of power needed to crack this build. Do not take this as advice to be slack and think you’re safe, but as a lesson to be proactive about YOUR security and to learn to test your own security.
note they suggest 3/4 (not 95 possibilities) and we want the full 95/character. Why do the bare minimum to secure yourself while the hacker is doing everything they can to find something useful, often anything they can gain access to.
If you have a particular question or desire for learning references or perhaps a suggestion for something you’d be interested in expanding your knowledge on, do not hesitate to contact me. If the contact me page isn’t up, the one on the website should be working just fine. Do stay tuned to the next blog post, coming soon. An explanation of VPN’s and why they help protect your security considerably. By the end you will have a basic knowledge and can decide for yourself if you want to connect with a company, or your own private server.