How to Crack a Password……
What is Password Cracking?
Password cracking is that the procedure of striving to perceive Unauthorized access to restricted systems using common passwords or algorithms that guess passwords. In other words, it’s an art of obtaining the right password that provides access to a system protected by an authentication method.
Password cracking employs a variety of techniques to realize its goals. The cracking process can involve either comparing stored passwords against glossary or use algorithms to get passwords that match
In this tutorial, we’ll introduce you to the common password cracking techniques and therefore the countermeasures you’ll implement to guard systems against such attacks.
What is password strength?
Password strength is the measure of a password’s efficiency to resist password cracking attacks. The strength of a password is decided by;
*Length: the number of characters the password contains.
*Complexity: does it use a mixture of letters, numbers, and symbols?
*Unpredictability: is it something which will be guessed easily by an attacker?
Let’s now check out a practical example. we’ll use three passwords namely
1. password
2. password1
3. #password1$
For this instance, we’ll use the password strength indicator of Cpanel when creating passwords. the pictures below show the password strengths of every one of the above-listed passwords.
Reminder: The password used is the password the strength is 1, and it’s very weak.
Reminder: The password used is password1 the strength is 28, and it’s still weak.
Reminder: The password used is #password1$ the strength is 60 and it’s strong.
The higher the strength number, the better the password.
Let’s suppose that we’ve to store our above passwords using md5 encryption. we’ll use a web md5 hash generator to convert our passwords into md5 hashes.
Below shows the password hashes:
Password: password
MD5 HASH:5f4dcc3b5aa765d61d8327deb882cf99
Cpanel Strength Indicator:1
Password: password1
MD5 HASH:7c6a180b36896a0a8c02787eeafb0e4c
Cpanel Strength Indicator:28
Password: #password1$
MD5 HASH:29e08fb7103c327d68327f23d8d
Cpanel Strength Indicator:60
We will now use http://www.md5this.com/ to crack the above hashes. the pictures below show the password cracking results for the above passwords.
As you’ll see from the above results, we managed to crack the primary and second passwords that had lower strength numbers. We didn’t organize to crack the third password which was longer, complex, and unpredictable. It had a better strength number.
Password cracking techniques:
There are a variety of techniques which will be wont to crack passwords. we’ll describe the foremost commonly used ones below;
a)Dictionary attack– This method involves the utilization of a wordlist to match against user passwords.
b)Brute force attack– This method is analogous to the dictionary attack. Brute force attacks use algorithms that combine c)alpha-numeric characters and symbols to return up with passwords for the attack. for instance, a password of the worth “password” also can be tried as p@$word using the brute force attack.
d)Rainbow table attack– This method uses pre-computed hashes. Let’s assume that we have a database that stores passwords as md5 hashes. we will create another database that has md5 hashes of commonly used passwords. we will then compare the password hash we’ve against the stored hashes within the database. If a match is found, then we have the password.
e)Guess– because the name suggests, this method involves guessing. Passwords like qwerty, password, admin, etc. are commonly used or set as default passwords. If they need not been changed or if the user is careless when selecting passwords, then they will be easily compromised.
f)Spidering– Most organizations use passwords that contain company information. This information is often found on company websites, social media like Facebook, Twitter, etc. Spidering gathers information from these sources to return up with word lists. The glossary is then wont to perform a dictionary and brute force attacks.
Spidering sample dictionary attack wordlist:
1976<founder birth year>
smith jones <founder name>
acme <company name/initials>
built|to|last <words in company vision/mission>
golfing|chess|soccer<founders hobbies>
Password cracking tool:
These are software programs that are wont to crack user passwords. We already checked out an identical tool within the above example on password strengths. the web site www.md5this.com uses a rainbow table to crack passwords. we’ll now check out a number of the commonly used tools
John the Ripper:
John the Ripper uses the prompt to crack passwords. This makes it appropriate for advanced users who are comfortable working with commands. It uses to wordlist to crack passwords. The program is free, but the glossary has got to be bought. it’s free alternative word lists that you simply can use. Visit the merchandise website https://www.openwall.com/john/ for more information and the way to use it.
Cain & Abel:
Cain & Abel runs on windows. it’s wont to recover passwords for user accounts, recovery of Microsoft Access passwords; networking sniffing, etc. Unlike John, the Ripper, Cain & Abel uses a graphic interface. it’s quite common among newbies and script kiddies due to its simplicity of use. Visit the merchandise website http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml for more information and the way to use it.
Ophcrack:
Ophcrack may be a cross-platform Windows password cracker that uses rainbow tables to crack passwords. It runs on Windows, Linux, and Mac OS. It also features a module for brute force attacks among other features. Visit the merchandise website http://ophcrack.sourceforge.net/ for more information and the way to use it.
Password Cracking Counter Measures
*An organization can use the subsequent methods to scale back the probabilities of the passwords been cracked
*Avoid short and simply predictable passwords
*Avoid using passwords with predictable patterns like 11552266.
*Passwords stored within the database should be encrypted. For md5 encryptions, it’s stronger to salt the password hashes before storing them. Salting requires adding some words to the provided password before creating the hash.
*Most registration methods have password strength indicators, organizations must adopt policies that favor high password strength numbers.