Password Attack

What is Password?

A phrase that is used for accessing resources. Oldest case where a password is used is in the tale of Alibaba and forty thieves in 1001 collection.In the same history we see that the leader of thieves wants to crack the magic word to get access to the wealth.Where there is a password, we usually also have someone who wants to crack it.

How Passwords are stored?

Systems usually store a hashed version of password in a file.

Hashing is in fact a non-reversible algorithm

In that case no one can retrieve the password from its hash

Then, How to crack the password?

There only remains one way to that and the steps are:
1. Find a large collection of passwords
2. Make the hash for every entry
3. check if it matches with the one we want to crack

If the password to crack is unique, there will be no way to crack it.

Where to find a collection of passwords?

At first it was hard for crackers to generate one, they had used dictionaries and word collections and wrote programs to simulate password patterns.

This was the case until a breach in late 2009 on RockYou.com gaming service revealed 32 million plain-text passwords that 14.3 millions out of them were unique. Those passwords were than posted online. This event change the whole game for password crackers.

RockYou breach revealed a very important fact and that is the strategic thinking people often employed when they chose a password. It is the key needed for years for crackers.

It indicates that users try to create password that are easy to remember while hard to guess.

RockYou passwords had some common patterns

A large portion of passwords were a combination of name + year:
ahmad1993

Upper case letters were used only as first letter of a word:
DaysofFuturePassed

Numbers and Symbols are almost always used at the end of password:
HelloWorld!!!

And many others...

Year of birth

Many others: 3 > e, 4 > a,r and ! > I

The result of combining these patterns with dictionaries resulted on more efficient collections

After RockYou hack, the number of successful password cracks largely increased.

Today we can find collections of more than 100 millions passwords easily on the Internet.For example in crackstation.net we can find a 1.5 billion passwords collection with 15 GB in size

Hardware used to generate the Hash

It is usually done by GPU instead of CPU because, they have more cores, 100 of them. The programs used to generate password hashes work better with more cores. And core speed is not that important. (lower than 1 GHz)

Now a HD 7970 (300$) can check up to 8.2 billion passwords in a second.

The photo belongs to a 12k $ worth system created by a team named Deadone in the last Defcon conference. It can check the whole 8 letter password space (all 95 characters available on a standard English keyboard) in only 12 hours.

Deadone team won the Crack Me If You Can contest with this machine.

Rainbow Table

When cracking a large number of passwords it is insufficient to use the old method, creating whole collection of hashes for every target

Instead we can use something called Rainbow Table. It contains the pre-generated hash for a collection of passwords with their plain-text form. Using Rainbow tables, we don't need to generate the hashes anymore, we only match the entries.

We can also build our own Rainbow Tables.Rainbow Tables has another advantage:
it can save our disk space too. For example an ordinary table with all 10 character combinations of only lower case and their corresponding MD5 will take 3 TB of disk. While a rainbow table with same feature will only take 167 GB. It is because Rainbow tables use a very powerful compression technique.

To make RT useless, They added Salt for every password

It is several unique characters that would be appended to password before hashing it. It is randomly generated by computer. It makes RT completely useless. As an example a 16-bit salt requires crackers to have 65535 separate tables to break passwords, which is in case of disk space is completely impractical.Linux: /etc/shadowNot every system or website use salting: Yahoo didn't used it in 2014 breach.