Quick LinksWhat Is Password Cracking? How I Cracked My Own Passwords Using HashCat Performing a Simple Crack Using a Dictionary Attack Performing a More Complex Crack Using Masked Brute Force Attacks How to Keep Your Accounts Safe From Password Cracking
Creating a strong and unique password for each account you create is vital. But have you ever wondered how your strong password is broken down and cracked to allow hackers into your accounts?
✕ Remove Ads
I tested three different passwords against an open-source password-cracking tool to find out what really works when it comes to password security.
What Is Password Cracking?
When you create an account with an online service, the provider usually (and hopefully) encrypts your login details on its server. This is done using an algorithm to create a "hash," a seemingly random string of letters and numbers unique to your password. Of course, it's not actually random -- it's a very particular string of characters that only your password can make -- but to the untrained eye, it looks like a mess.
It's far quicker and easier to turn a word into a hash than to "unravel" a hash into a word again. As such, when you set the password, the service you're logging into runs your password through a hash and then stores the result on its server.
✕ Remove Ads
If this password file gets leaked, hackers will try to figure out its contents using password cracking. Because it's faster to encrypt a password than to decrypt it, hackers will set up a system that takes in potential passwords as input, encrypts them using the same method as the server, and then compares the result to the password database.
If the potential password's hash matches any entries in the database, the hacker knows that every hit matches the potential password that was tried.
How I Cracked My Own Passwords Using HashCat
Alright, so let's crack some passwords I've constructed to see how easy it is. To do this, I will use Hashcat, a free and open-source password cracker available for anyone to use.
For these tests, I will crack the following passwords:
123456: A classic password and a cybersecurity nightmare, 123456 is the most commonly used password in the world. NordPass calculated that 3 million accounts used 123456 as their password, 1.2 million of which were protecting corporate-level accounts. Susan48!: A password that follows the patterns most users will use to make a secure password. This usually ticks the boxes for basic password hygiene, but as we'll explore later, it has some critical weaknesses that can be exploited. t9^kJ$2q9a: A password I created using Bitwarden's generator. It was set to generate a 10-character-long password using upper and lower letters, symbols, and numbers. ✕ Remove Ads
Now that we have our passwords, I encrypted them using MD5. This is how the passwords would appear if they were in a saved password file:
123456: e10adc3949ba59abbe56e057f20f883e Susan48!: df1ce7227606805745ee6cbc644ecbe4 t9^kJ$2q9a: 450e4e0ad3ed8766cb2ba83081c0a625
Now, it's time to crack them.
Performing a Simple Crack Using a Dictionary Attack
To start, let's do a dictionary attack, one of the most common methods of attacking passwords. This is a simple attack where I take a list of potential passwords, have Hashcat convert them into MD5, and see if any match the three entries above. For this experiment, I'm using the "rockyou.txt" file as my dictionary, which was one of the biggest password leaks in history.
✕ Remove Ads
To start cracking, I go to the folder Hashcat is in, right-click on an empty space, and click Open in Terminal. Now that the Terminal is open and set to the Hashcat directory, I invoke the Hashcat application with the following command:
.\hashcat -m 0 -a 0 passwordfile.txt rockyou.txt -o results.txt
Here's what the command does:
.\hashcat invokes Hashcat. -m 0: Defines what encryption we'll be using. In this case, we'll be using MD5, which is listed as number 0 on the Hashcat help document. -a 0: Defines the attack we want to do. The Hashcat help documentation lists the dictionary attack as number 0, so we invoke it here. passwordfile.txt rockyou.txt: The first file includes the three encrypted passwords we set up earlier. The second is the entire rockyou password database. -o results.txt: This variable defines where we put the result. In my command, it puts the cracked passwords into a TXT file called "results." ✕ Remove Ads
Despite rockyou's huge size, Hashcat churned through them all in six seconds. In the results file, Hashcat said it cracked the 123456 password, but the Susan and Bitwarden passwords remained uncracked. That's because the 123456 was used by someone else in the rockyou.txt file, but nobody else used the Susan or Bitwarden passwords, meaning they were unique enough to survive this attack.
Performing a More Complex Crack Using Masked Brute Force Attacks
Dictionary attacks work when someone uses the same password as the one found in a bigger list of passwords. They're quick and easy to do, but they cannot crack passwords that aren't in the dictionary. As such, if we want to really test our passwords, we need to use brute force attacks.
If dictionary attacks are all about taking a pre-set list and converting them one by one, brute force attacks do the same but with every conceivable combination available. They're harder to perform and take a lot longer, but they will eventually crack any password. As we'll see soon enough, that eventuality can sometimes take a very long time.
✕ Remove Ads
Here's the command I used to do a "true" brute force attack:
.\hashcat -m 0 -a 3 target.txt --increment ?a?a?a?a?a?a?a?a?a?a -o output.txt
Here's what the command does:
-a 3: This variable defines the attack we want to do. The Hashcat help documentation lists brute force attacks as number 3, so we invoke it here. target.txt: The file containing the encrypted password we want to crack. --increment: This tells Hashcat to try all passwords that are one character long, then two, then three, and so on until we get the solution. ?a?a?a?a?a?a?a?a?a?a: This is what's called a "mask." Masks let us tell Hashcat which characters to use at which spot. Each question mark designates a character position in the password, and the letter dictates what we try in each spot. The letter "a" represents upper and lower case characters, numbers, and symbols, so this mask says, "Try everything on every slot." It's a terrible mask, but we'll put it to good use later. -o output.txt: This variable defines where we put the result. My command puts the cracked passwords into a TXT file called "output." ✕ Remove Ads
Even with this awful mask, the 123456 password broke within 15 seconds. Despite being the most popular password, it's one of the weakest.
The "Susan48!" password was much better -- my PC said it would take four days to crack it blindly. However, there was one problem. Remember when I said the Susan password has some critical flaws? The biggest one is that the password is constructed predictably.
When we create a password, we usually put specific elements in specific spots. You can imagine the person making the Susan password tried using "susan" at first but was told to add capital letters and numbers. To make it easier to remember, they capitalized the first letter and added the numbers to the end. Then, perhaps one login service asked for a symbol, so our password setter stuck it on the end.
As such, we can use the mask to tell Hashcat to try only specific characters at specific spots to exploit how predictable people are when making a password. In this mask, "?u" will only use capital letters at that position, "?l" will only use lowercase letters, and "?a" represents any character:
✕ Remove Ads
.\hashcat -m 0 -a 3 -1 ?a target.txt ?u?l?l?l?l?a?a?a -o output.txt
With this mask, Hashcat breaks the password in three minutes and 10 seconds, which is much faster than four days.
The Bitwarden password is ten characters long and doesn't use any predictable patterns, so I'd have to do a brute-force attack without any masking to crack it. Unfortunately, when I asked Hashcat to do that, it threw an error, saying that the number of possible combinations exceeded the integer limit. IT Security Guru says the Bitwarden password would take three years to crack, so that's good enough for me.
How to Keep Your Accounts Safe From Password Cracking
So, what can we learn from this? The main factors stopping me from cracking the Bitwarden password were its length (10 characters) and unpredictability. As such, when making passwords, try to make them as long as possible and sprinkle in symbols, numbers, and capitals throughout the password. This prevents hackers from using masks to predict where each element is and makes them a lot tougher to crack.
✕ Remove Ads
You may already know old password adages such as "use an array of characters" and "make it as long as possible." Hopefully, you know why people recommend these handy tips -- they're the difference between a cracked password and a safe one.