How I Got Your Password – Part 1

In our last post we looked at the frighteningly short amount of time that it takes to crack a typical password.  Today we will look at all the different password cracking methods that a clever attacker can use to compromise your password, and how to defend against these attacks.

Password cracking

There are several types of automated password attacks that can be combined to make the process quicker, or to configure for a certain type of password attack.

  • Dictionary attack – This is the quickest method and can easily solve more than half the passwords on the list.  It works by checking known popular passwords and words found in a dictionary.  You can protect yourself from this by avoiding popular passwords or dictionary words as your password.
  • Brute-force attack – This method tries every possible combination of upper case and lower case letters, numbers, and symbols, and is very thorough.  This takes more time, but it can solve the entire 281.5 trillion possible 8 character password combinations in 24 hours or less, depending on the equipment.  The best defense against this is to create passwords that are longer than 12 characters.
  • Hybrid attack – Hybrid attacks combine some characteristics of both brute-force and dictionary attacks with human predictability.  Hybrid attacks looks for variations of popular passwords that might use some character substitution.  Predictability exploits the things that people tend to do, like capitalizing the first character, and using the number 1 and the exclamation mark at the end of their passwords.  These factors are added into the password cracking algorithm.   I have read stories about hybrid attacks that can solve long passwords of 12 or more characters in a matter of hours.  The best defense is to avoid making your long password by combining two or more dictionary words.  At this point a 20-character randomly generated password would be your best defense.  We will tell you how to do this in the next post.
  • Password spraying – Brute-force attacks sends hundreds or thousands of tries against a single password protected account.  Password spraying sends a single attempt against hundreds or thousands of systems, and then starts over again with a new password.  Typically used in on-line attacks, see below.
  • Off-line attacks – This happens when a password file or database has been exported from a web server or domain controller, and the passwords can be cracked automatically in bulk at the attackers leisure.  Your best defense is to use passwords longer than 12 characters, that take decades or centuries to crack.
  • On-line attacks – In this attack password cracking is attempted directly against the web site login screen using automated tools, and possibly password spraying.  With password spraying, and attacker with try the same user and password combination on hundreds of accounts or websites, and then start the process over with a new user and password combination.  This overcomes security strategies such as rate limiting, or locking out an account after a certain number of incorrect attempts within a certain time frame.  This is used against WordPress websites, email accounts from Gmail, Outlook.com, or Yahoo, as well as popular online services such as Twitter and Facebook.  Again, your best defense is to use passwords longer than 12 characters.

Our next post will reveal other methods that can be used by an attacker to compromise your password.

A special thanks to Panda Security for inspiring the content of this series and providing us with the infographics used in this series.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.