We recently published a post about the inherent dangers of passwords and how they are increasingly vulnerable thanks to user negligence. With so much data being safeguarded by elemental passwords, the need for a refined security layer is imperative. However, a common question we received was about how attackers actually store and share compromised passwords with each other.
Understanding ‘Salting’ and ‘Hashing’ encryption
Before we go any further, we need to understand the significance of ‘salting‘ and ‘hashing‘ techniques used by web service providers. These methods encrypt passwords and they prevent the bad guys from getting their hands on large databases of stored passwords. If these databases are recklessly stored in plain text, they become highly vulnerable and visible.
This ensures that even if an attacker gets his hands on databases, he will be unable to crack the code without considerable effort. Salting refers to the process of adding a string of characters to a password. For instance, a password like ‘hello‘ becomes ‘hello3ab9‘ after the process. Hashing refers to the process of encrypting the salted password with a key. So ‘hello3ab9‘ becomes ‘39e19b234…‘ after hashing. Providers use popular programs like MD5, SHA-1, SHA-256, SHA-384 and SHA-512 to carry out this encryption.
Methods to crack stolen passwords
Unfortunately, attackers now have their hands on these programs. As a result, hackers who have cracked certain hashes and navigated around system protection software, share the results with each other over underground forums. Here are the common tools that are utilized and shared by attackers to crack our secure passwords.
- Rainbow Table
These are tabular databases that contain hashed passwords that have been cracked. Every encryption program is targeted and the results are then shared in a “you-help-me-I-help-you” manner. Subsequently, if a hashed password is obtained by a hacker he simply runs it against the rainbow tables to see if the plain text password can be derived. This process takes him a few seconds if he has multiple tables at his disposal. His results are then recorded in the table and then shared with other hackers to complete the chain.
- Dictionary Attack
In this scenario, an attacker runs an encrypted password against an existing set of words. In most cases, this list is simply derived from a dictionary. Many people use day-to-day dictionary words as their passwords and attackers are well aware of this. All they do is run the password against a list of all dictionary words and if the password is in fact a simple word, it will be cracked. This is why it is recommended that you use a combination of letters, numbers and special characters for your password.
- Brute-Force Attack
Also known as an ‘exhaustive key search’, this attack is the most comprehensive and detailed trick used by hackers. They scan an encrypted password against all possible combinations including alphabets, numbers and special characters. This process is extremely lengthy so only the most dedicated and persistent attackers make use of it. But if an attacker adopts a brute-force technique then he is guaranteed to crack a password sooner or later. In order to discourage attackers from making use of this technique, it is recommended that you create passwords that are at least 8-10 characters long.
Hackers use these primary techniques, and other lesser known ones, to crack passwords once they obtain a list. After a password has been cracked, they update the list and share it with other hackers to spread the information. Password security is something that a lot of us take lightly so it is important to follow 3 rules – keep it long, use special characters and use different passwords for multiple accounts. Attackers share their resources and results with each other so we should also do the same and contribute towards raising awareness.