Passwords? No, Passphrases. Your Ultimate Guide to Preventing Attacks: Part 1

Passwords, at least for now, run our lives. I’ve seen it with my own family where suddenly needing to change an email password, an Apple ID password, or even a Facebook password becomes a multi-hour long ordeal. We live in an age where an entire population segment didn’t grow up having to remember passwords, and thus are not used to having to recall them. On the flip side, there is a segment that is accustomed to needing to know and remember passwords for most of their lives. Unfortunately, bad habits were formed when it comes to password creation due to ease of use. As someone who works in Offensive Security, it is my job to think and make recommendations based on the perspective of an attacker. I often have to try and capture or crack passwords in my every day work – a challenging, yet scary task.

In this two-part blog, I step into the shoes of an attacker and explain how individual passwords, or potentially even entire databases, are obtained. But, I won’t leave you hanging dry. There are ways to prevent these attacks from happening at the user level and it starts with having a strong understanding of how and why we should be creating passwords a certain way.

To begin, in modern systems, passwords ultimately are turned into a hash. A hash is a one-way transformation of input into essentially unintelligible nonsense. It uses a known algorithm to take data, in this case a password, and turn it into random characters. For example, the md5 algorithm turns the word “password” into “cc3a0280e4fc1415930899896574e118.” This is typically how passwords are transmitted within environments and how they are stored in databases on applications. If it is not stored or transmitted in this way, it is considered to be “plaintext”. There are several different kinds of algorithms, and as time has gone on, there have been developments in complexity to arrive at the final hash.

Now some of you may think that a hash value is similar to encryption, and that with a key you can “decrypt” the password. In this case, hashes are on- way transformations because in the process of determining the hash, it runs many different sequential computations. In the later computations it may (or may not) use data from earlier computations. So, as a result, you can’t work backwards since you are missing data that was determined early in the original hashing procedure To obtain a password from a hash, the current most commonly used process is to “crack” the hash. Meaning you use a program, a strong computer, and virtually every combination of letter, word, and symbol within a given length that you can try, and have it run through the hashing procedure to see if it matches. For example, if I have a list of 10 words, including “password” from earlier, the software will hash each word, and check the result against the hash I’m trying to crack. When it hashes “password” and finds the same result, I’ve now cracked that hash and know the password. This can take anywhere from seconds to a millennia depending on the entropy, or strength, of the password.

There are plenty of guides online of how to crack passwords, and really all you need to do it effectively is a computer that can do as many computations at once as possible. Each year as computers get more powerful, the algorithms that we’ve used become weaker. These systems can now “guess” more times per second, and therefore run through more attempts. This has resulted in new algorithms being made that are longer to generate the hash, attempting to reduce the number of hashes a computer can generate per second. For example, using the MD5 hash mentioned earlier, a graphics card from several years ago can do 40116 megahashes per second. This means that it can attempt over 40 billion passwords per second. In comparison, with the NTLMv2 hash, which is what Windows uses, that same system would be doing under 3 billion hashes per second.

These figures might seem astronomical, and you may wonder how it is that these systems don’t crack a password in seconds with that many attempts, and this is where we come to talk about password strength, or entropy. Entropy, in the context of information, is essentially its uncertainty. To increase entropy, you increase uncertainty, meaning you increase the possible combinations of characters a password can be. Prevailing password theory has always been to make passwords random, which is certainly a way to increase entropy within passwords. It also often makes cracking much more difficult, as typically password cracking uses a dictionary of words, and applies “rules” to those words. Meaning for “password” the software would try not only the base word, but would replace letters with numbers, add symbols, or add numbers to the end. The word password itself can result in thousands of combinations, and that’s only for a single word.

This is why we transitioned from using simple words, to including capitals, special characters, and numbers in our passwords. For a standard 8 character long password, that can add over 40 different options for each character in the password. So, if we add special characters and numbers to our passwords, but they still end up being cracked, what do we do? There are several ways to approach this issue so stay tuned to Part 2