Cracking the code on cracking codes

“How does someone break your password? Just by guessing? Using some algorithm? Consulting a list of the most common? What makes a password weak or strong? I know to use lowercase, uppercase, numbers and special characters, but what would make one combination of those good and another not?”

This series of questions posed by a reader is a sober reminder that oftentimes IT professionals teach what to do or not do, but seldom explain why or how it happens. That’s because the answer is not straightforward; however, I will do my best to explain the ways simple passwords can be compromised. Note, there are always caveats, exceptions and methods of which I may not be aware.

Guessing a person’s password based on knowledge acquired is straightforward but not common, especially with the maximum attempt policy to which most applications or websites adhere. You’d need a general idea of someone’s password before guessing, because you risk being locked out.

Table courtesy of Hive Systems

Basic knowledge of cryptography is needed to understand how passwords are secured. The three categories of cryptography include: private key, public key and hash functions. For simplicity, I will use hash function cryptography.

Hashing is a way to transform a given string into a fixed-length string. A good hashing algorithm produces unique outputs for each input given. The only way to crack a hash is by trying every input possible until you get the exact same hash.

Just because an algorithm is a mathematical function doesn’t mean it would be easy to feed the hash back through a reverse algorithm. It’s difficult, if not impossible, with standard computational power to reverse a complex hash algorithm, which is why they are used for passwords.

For example, using a common industry standard for hashing, the Secure Hash Algorithm (SHA256) creates a complex string of letters and numbers (or hash) for the password “password.” However, one simple change makes a huge difference. Capitalizing one letter to make “Password” creates a completely different hash.

Applications don’t store passwords in plaintext. After a user enters a password, it’s converted to a hash and compared with the stored hashes on the server. Once matched, the user is authenticated and logged in.

When using the same hash algorithm, the password will always generate the same hash. Since “Password” always generates the same SHA256 hash, someone might keep a list of commonly used password or character hashes. This is known as a rainbow table.

The rainbow table refers to a precomputed table containing the password hash value for each plaintext character used during the authentication process. If hackers gain access to the list of password hashes, they can crack all passwords quickly using a rainbow table. (Note: Some programmers use an additional step called salting. Salting uses a separate algorithm applied to the passwords’ stored hashed value, making it difficult to leverage a rainbow table.)

This circumvents any maximum password attempt lockout policies, because the hacker is using a known
hash to create the password before an attempt is made to login. Passwordrandom.com cites 91 percent of user passwords sampled appear on the list of the top 1,000 passwords.

It boils down to randomization and length. Adding “!” to the end of your pet’s name as the password doesn’t make it much stronger. Creating completely randomized passwords makes matching hashes extremely difficult. The more characters used, the more computational power it takes to compare against a rainbow table, sometimes referred to as a brute force attack.

Hive Systems suggests when a password combines upper and lowercase letters, numbers, special characters, and is 12 characters long, it would take a hacker 3,000 years to crack by trying every combination to generate the same hash. See the password table for more information.

Bottom line, the conventional password hashing is flawed, which is why multi-factor authentication and a push toward a future without passwords is on the rise.

 

Number of Characters Numbers Only Lowercase Letters Upper and Lowercase Letters Numbers, Upper and Lowercase Letters Numbers, Upper and Lowercase Letters, Symbols
4 Instantly Instantly Instantly Instantly Instantly
5 Instantly Instantly Instantly Instantly Instantly
6 Instantly Instantly Instantly Instantly Instantly
7 Instantly Instantly 2 secs 7 secs 31 secs
8 Instantly Instantly 2 min 7 min 39 min
9 Instantly 10 secs 1 hour 7 hours 2 days
10 Instantly 4 min 3 days 3 weeks 5 months
11 Instantly 2 hours 5 months 3 years 34 years
12 2 secs 2 days 24 years 200 years 3K years
13 19 secs 2 months 1K years 12K years 202K years
14 3 min 4 years 64K years 750K years 16M years
15 32 min 100 years 3M years 46M years 1BN years
16 5 hours 3K years 173M years 3BN years 92BN years
17 2 days 69K years 9BN years 179BN years 7TN years
18 3 weeks 2M years 467BN years 11TN years 438th years