Humans are considered the weakest link when it comes to data security since they will typically pick passwords that are easier to remember over something that is more secure. But this way the password becomes easy to hack, as well. And even if the user has come up with a strong password, there are still numerous techniques to crack it open in a just a few hours using a regular computer.
There are two main categories of password cracking techniques: offline and online. Online attacks are performed on a live host or system by either brute-force or wordlist attack against a login form, session, or other type of authentication technique used.
Offline attacks are done by extracting the password hash or hashes stored by the victim and attempting to crack them without alerting the targeted host, which makes offline attacks the most widespread method of password cracking. Security holes in the victim's infrastructure are what make this type of attack possible.
One of the most popular cracking techniques for passwords of up to eight characters is the brute-force attack. This is basically a hit-and-miss method, as the hacker systematically checks all possible characters, calculates the hash of the string combination and then compares it with the obtained password hash.
The success of brute-force attacks depends on the length of the password. In a brute-force attack the hacker tries every single combination of letters, numbers, and punctuation to generate a password. If the password is long, this technique takes more time: from minutes to several years, depending on the system used and password length.
While similar to a brute-force attack, there is one major difference between the two techniques. In this scenario, the hacker uses a list of probable matches (based on words of the English language, for example) instead of trying all potential characters one by one. Dictionary attack tools often include known passwords, words from the English language, sentences from books, and more.
Combined Dictionary Attacks
Taking the dictionary attack one step further and adding even more complexity, hackers can combine a list of existing words with numbers in the same way that humans might when creating new passwords – such as by swapping the letter ‘e’ with ‘3’. This technique is called a “combined dictionary” attack, where the database used can contain words from one or more dictionaries.
Hybrid Dictionary and Rule-Based Dictionary Attacks
The hybrid dictionary attack is the method of taking the words listed in a dictionary and combining them with a brute-force attack by prepending three numbers to each entry. You'll get results such as 111apple up to 999apple. This, however, can still take some time to generate results, so spicing up the password guesswork with a few rules can shorten the length of time it might take to crack. This method, however, leaves plenty of room for hacker creativity in defining the rules that the password cracking software will apply.
Rainbow Table Attacks
A rainbow table is a pre-compiled table used for recovering hashes. Each rainbow table is for a specific length of password containing a well-defined set of characters. This technique aims to reduce the guessing time but is limited to passwords no longer than nine characters and hashes without password salt.
Markov Chains Attacks
To use the Markov Chains technique hackers need to assemble a certain password database, split each password into 2-grams and 3-grams (2- and 3-character-long syllables), develop a new alphabet where these different elements act as letters and then match it with the existing password database.
Finally, the hacker sets a threshold of occurrences that will be the basis of the next step and selects only the letters from the new alphabet that appear at least the minimum number of times, as chosen by the hacker. Then the method combines these into words of a maximum eight characters in length and utilizes the dictionary attack once again.
How to Secure Passwords
Since attacks can take many forms, the best way to protect yourself against hackers is to use long, unique passwords for every account. There are some easy tricks for creating strong passwords but, in the end, it all boils down to where and how you store those passwords.
It might be super-strong and the best password you have ever created, but if you write it down and store it somewhere, then it can easily be accessed by anyone who finds it. You can use any of the three secure password storage methods that we recommend, or use a password manager.
Best Password Managers of 2019
|Editor's Choice 2019|