By Staff Writer at LMG Security   /   Apr 18th, 2016

Brilliant Ways Hackers Crack Passwords & How to Avoid Weak Passwords

Image via: Wikimedia Commons

You would think that a large software corporation like Citrix would have a more complex network password than CompanyName123—especially one that offers secure, mobile workspaces. But even Citrix is vulnerable to weak passwords, as they experienced recently during a content management system breach when a hacker used the login credentials: [email protected] and Citrix123. Time and time again, companies that should know better will still use weak passwords, making it easy for hackers to access valuable corporate information. We’ll help you understand how hackers crack passwords and what you can do to avoid weak passwords.

So how do hackers crack passwords? Citrix123 uses length (9 characters) and some complexity (uppercase letters, lowercase letters, and numbers), but it was still a weak enough password that hackers were able to crack it.

In a conversation with Dan Featherman, a Senior Security Consultant and member of LMG’s Penetration Testing Team, we discussed how hackers crack passwords and what makes a weak versus a strong password. We also discussed the three most common methods of cracking passwords: dictionary attacks, brute force attacks, and masked attacks.

How Do They Crack Passwords?

There are many open source, pre-built password crackers that are freely available for use. John the Ripper is one of the most popular password testing and cracking programs. It combines a number of password crackers into one package, auto-detects password hash types, and includes a customizable cracker.

Hashing, as defined by Dan:

Password hashing is the process of applying a one-way algorithm to a dataset. This process results in the creation of a unique identifier, which cannot be reversed to expose the original dataset. Hashes are of a fixed length, which is dependent on the type of hashing performed. For example, MD5 hashes are 128 bits. An MD5 hash of a 3GB movie would be 128 bits, just as an MD5 hash of a simple text file would be 128 bits.”

One of the most common modes that John the Ripper uses is a dictionary attack, which takes a list of dictionary words (wordlists) to try to crack passwords. There are multitudes of wordlists available, each containing millions of words, and many are free to use. These wordlists can be also altered by rule sets, which, for example, replace a with or e with 3. Some of these mangled wordlists are already built into John the Ripper. Using real words from the dictionary in your passwords, therefore, is low hanging fruit for hackers.

Brute force attacks use the most well-known method of cracking passwords. These attacks cycle through the alphabet, numbers, and special characters one character at a time, trying all combinations and increasing the length until the password is found. This attack is extremely fast at cracking short passwords, but exponentially slower as the length increases.

Masked attacks use the same method as brute force attacks, but are more specific. A hacker can obtain password policies, such as the password requirements and limitations, or your common password habits and use that information to their advantage. If a policy requires a password between 2 – 8 characters and at least one uppercase, then a hacker could mask (set a customized rule for) the first character as an uppercase, which is the most common place that people will place the required uppercase letter, and mask the length between 2 – 8 characters. This greatly reduces the time and energy it takes to crack a password.

The password crackers used in dictionary attacks, brute force attacks, and masked attacks require computers that can process as much data as possible, as fast as possible. The results are machines that are heavily laden with video cards and superior CPUs, which come at a high electricity cost and, if not properly set up, can overheat easily. To avoid building costly password cracking computers, password hackers have taken to the cloud to outsource the required infrastructure, using what is aptly called cloud crackers. Password cracking using cloud computing is increasingly becoming more popular among hacker groups.

Hackers can use several other methods to steal passwords, including, but not limited to the following:

  • Resetting your password by using your password reset questions; a hacker can easily find your birth city, mother’s maiden name, name of your first pet, etc.
  • Checking if you reused passwords over multiple accounts
  • Keylogger software
  • Remote administration tool, to see the screen and what is going on, usually contains keylogger software as well
  • Wi-Fi traffic monitoring
  • Phishing attacks
  • Social engineering
  • Offline hacking

What Makes a Password Weak?

A short, non-complex password with personal meaning is extremely easy to crack. Hackers will take any/all of your personal information to try to crack your password. Weak passwords contain personal information that is easily found through open source intelligence, such as social media, court filings, real estate, education information, or any information that is publicly accessible. Hackers will weed through this seemingly non-threatening data to gain access to more important information.

Other common password weaknesses include:

  • Default passwords
  • Under 8 characters
  • No complexity: lack of numbers, special characters, or uppercase letters
  • Common passwords: Password, Passw0rd, 123456, 11111, abc123, letmein, welcome, money, God, love, Jesus
  • Reusing passwords for different logins
  • Common names, phrases, and pop-culture references
  • Reusing the username as the password
  • Keyboard pattern and swipes (123456, qwerty)
  • Dictionary words, even with h4x0r/1337 language (numbers and symbols) mixed in or common misspellings
  • 2 or 4 digit numbers at the beginning or end, especially co-relating to the current year, your birth day/month/year, or age
  • Using ! or ? as the special character and placing it at the end
  • Bad distribution (abcd1234, qwerty123456)
  • Poor/obvious security question and answer
  • Starting with an uppercase letter followed by a lowercase letter

How to avoid weak passwords – be strong!

There is a balance between creativity, complexity, length, memory, and protocol that has to be upheld in order to form a strong password. If password protocol limits the length or characters available, then the password must be creative, random, and complex to be as strong as possible. Merely replacing every vowel with its h4x0r language cousin is no harder to crack than replacing just one vowel, but using one special character or number helps to avoid weak passwords more than not using one at all.

Strong passwords contain:

  • Length: 8 characters is the standard recommendation, but 14+ characters is becoming the new standard
  • Complexity: use uppercase, lowercase, numbers, and special characters
  • Non-English characters, i.e. ü, ñ, ç, when possible
  • Spaces, when possible
  • No personal information
  • No dictionary words or common misspellings
  • No predictable habits, such as if all passwords use identical formats: WebsiteName+currentyear or [email protected][email protected]
  • Randomness
  • Shortening words and phrases to acronyms and adding complexity: ilovesecurity can become ilrasausp (I love reading about security and using strong passwords) and then [email protected]&us1n6Spw, which now has length, complexity, and no personal information or dictionary words

A strong password isn’t just about the technical approach, but also where you store it, where you type it in, or who is passing it around. Many companies adopt a Clean Desk Policy that removes sticky notes from monitors or pieces of paper in desk drawers, which is where employees most commonly write down and store passwords. Passwords can be passed around in email threads too. Also, be cautious of emails that ask to reset your password with a provided URL link, as they may be well-duplicated fake emails sent from hackers with fake websites.

After reviewing strong versus weak passwords and how hackers crack passwords, it’s clear that Citrix123 is a weak password for a combination of reasons. No password is absolutely invulnerable against hackers, but personally adopting a strong password policy can deter them and their computers from accessing that one account, which can easily snowball into accessing your bank or health insurance account. If you have any questions or comments about what you can do to strengthen your password, contact us at [email protected]