Password Cracking (theory)
This post is about cracking passwords. In order to understand how's possible first you need to comprehend some concepts:
Picture this: You configure a single factor authentication in your mobile device (just a password), therefore every time you unlock your mobile device you are required of typing your password.
This means your mobile O.S. is storing your password somewhere in memory, so when you type your password the O.S. is going to compare the password you've typed with the set-up password. If the password matchs you gain access to the device.
But how is your O.S storing your passwords?
You may think in plain text (this was true in the past), but this in really really insecure. If i gain access to your device and i know where your O.S. store your passwords, I will take everything from you.
Here is where hashes come to play.
A hash function is any function that can be used to map data of arbitrary size to data of a fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes.
Example: There is one function called MD5 (Message Digest 5), you can try with: http://www.miraclesalad.com/webtools/md5.php
Example 1:
Example 2:
Example 3:
Your O.S. is not going to store your password in plain text, your O.S. is storing just your password hashes! Every time you are typing your password:
1.- Your O.S. generates a hash from your typed password.
2.- Your O.S. compares this hash with your set-up password hash.
3.- If both hashes match you gain access to the system.
Dictionary attack: This attack tries common words from a file (Ex: Rock you file: https://wiki.skullsecurity.org/Passwords), it's a powerful attack since we are humans who are used to
use words.
Raimbow-table attack: This attack tries hashes from a file containing hashes and their "translation", this files could be very big (tons of Gb).
______________________
So, someone has stolen from your server a file with all your user names and password hashes. Now this guy is going to use some software like "John the Ripper password cracker". This software allows him of trying brute-force, dictionary, raimbow and hybrid attacks. This software:
1.- Generate possible passwords.
2.- Make hash of them.
3.- Compare them with the paswords hashes.
And for sure this will allow him to get at least 60-80% of all the passwords.
Nowadays, new systems salt the passwords. They are not going to store the hash of your password: "lovetimmy", these systems are going to hash your password + some random string, something like: "66_23!lovetimmy_2/". This way cracking passwords is much more difficult.
There's software that allows you to use these attacks on web applications. So you need no hashing. This is solved with a policy of password maximum attempts.
If someone tries this attack on Facebook, Facebook will block them at 5-10 attemps. What bad guys do is attacking sites who doesn't have proper security policies. They will attack your weak high school database. We are humans and we are not so smart because we use the same password everywhere, so when these black hat hackers get your password from your high school site, they will have your FB, Amazon and so on! So please, use different passwords!
* In today's world is more common using malicious scripts or keyloggers in order to steal people credentials.
* Use strong, random, and long passwords. Your password "Potat0pass3" is very insecure.
* MD5 is insecure, there are other hashes functions like SHA-256 or SHA-512 which are safe at the moment.
1.- HASHES
First of all, do you know how your O.S. store your passwords?Picture this: You configure a single factor authentication in your mobile device (just a password), therefore every time you unlock your mobile device you are required of typing your password.
This means your mobile O.S. is storing your password somewhere in memory, so when you type your password the O.S. is going to compare the password you've typed with the set-up password. If the password matchs you gain access to the device.
But how is your O.S storing your passwords?
You may think in plain text (this was true in the past), but this in really really insecure. If i gain access to your device and i know where your O.S. store your passwords, I will take everything from you.
Here is where hashes come to play.
A hash function is any function that can be used to map data of arbitrary size to data of a fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes.
Example: There is one function called MD5 (Message Digest 5), you can try with: http://www.miraclesalad.com/webtools/md5.php
Example 1:
We can see:
- Despite the file size the output hash-string always has the same size, it doesn't matter if you hash a .mov file of 4 Gb or a .txt file of 2Kb (example 1 and 3).
- Two files that only differ by one bit will have completely different hashes (example 1 and 2).
Your O.S. is not going to store your password in plain text, your O.S. is storing just your password hashes! Every time you are typing your password:
1.- Your O.S. generates a hash from your typed password.
2.- Your O.S. compares this hash with your set-up password hash.
3.- If both hashes match you gain access to the system.
2.- PASSWORD ATTACKS
Brute-Force Attack: This attack tries every possible string combination. It will go from 0000 to ZZZZ, you can configure how many characters, kind of characters... Strong passwords will require much more than a life time to be cracked.Dictionary attack: This attack tries common words from a file (Ex: Rock you file: https://wiki.skullsecurity.org/Passwords), it's a powerful attack since we are humans who are used to
use words.
Raimbow-table attack: This attack tries hashes from a file containing hashes and their "translation", this files could be very big (tons of Gb).
______________________
So, someone has stolen from your server a file with all your user names and password hashes. Now this guy is going to use some software like "John the Ripper password cracker". This software allows him of trying brute-force, dictionary, raimbow and hybrid attacks. This software:
1.- Generate possible passwords.
2.- Make hash of them.
3.- Compare them with the paswords hashes.
And for sure this will allow him to get at least 60-80% of all the passwords.
Nowadays, new systems salt the passwords. They are not going to store the hash of your password: "lovetimmy", these systems are going to hash your password + some random string, something like: "66_23!lovetimmy_2/". This way cracking passwords is much more difficult.
There's software that allows you to use these attacks on web applications. So you need no hashing. This is solved with a policy of password maximum attempts.
If someone tries this attack on Facebook, Facebook will block them at 5-10 attemps. What bad guys do is attacking sites who doesn't have proper security policies. They will attack your weak high school database. We are humans and we are not so smart because we use the same password everywhere, so when these black hat hackers get your password from your high school site, they will have your FB, Amazon and so on! So please, use different passwords!
* In today's world is more common using malicious scripts or keyloggers in order to steal people credentials.
* Use strong, random, and long passwords. Your password "Potat0pass3" is very insecure.
* MD5 is insecure, there are other hashes functions like SHA-256 or SHA-512 which are safe at the moment.