Passwords are rarely appreciated until a security breach occurs; suffice to say, the importance of a strong password becomes clear only when faced with the consequences of a weak one. However, most end users are unaware of just how vulnerable their passwords are to the most common password-cracking methods. The following are the three common techniques for cracking passwords and how to defend against them.
Brute force attack
Brute force attacks are straightforward yet highly effective techniques for cracking passwords. These attacks involve malicious actors using automated tools to systematically try every possible password combination through repeated login attempts. While such tools have existed for years, the advent of affordable computing power and storage has made them even more efficient today, especially when weak passwords are used.
How it works
When it comes to brute force attacks, malicious actors employ a range of tactics—from simple brute force attacks that test every possible password combination to more nuanced approaches like hybrid and reverse brute force attacks. Each method has a distinct strategy behind it, but the motives behind brute force attacks are the same: to gain unauthorized access to protected data or resources.
Some popular automated tools for carrying out brute force attacks include:
- John the Ripper: a multiplatform password cracker with support for 15 different operating systems and hundreds of hashes and cipher types
- L0phtCrack: a tool that uses rainbow tables, dictionaries, and multiprocessor algorithms to crack Windows passwords
- Hashcat: a cracking/password recovery utility that supports five unique modes of attack for over 300 highly-optimized hashing algorithms
Examples
Back in August 2021, U.S. mobile operator T-Mobile fell victim to a data breach that started with a brute force attack. The security compromise resulted in the exposure of over 37 million customer records containing sensitive data like social security numbers, driver’s license information, and other personally identifiable data.
Defense measures
Users should choose strong, complex passwords and multi-factor authentication (MFA) to protect against brute force attacks. Administrators should implement account lockout policies and continuously audit their Windows environments for weak and breached passwords. Tools like Specops Password Auditor can automate these processes across expansive IT environments.
Dictionary attack
In a password dictionary attack, cyber attackers try to gain access by using a list of common passwords or words from a dictionary. This predefined word list typically includes the most often used words, phrases, and simple combinations (i.e., “admin123”). Password dictionary attacks underscore the importance of complex, unique passwords, as these attack types are especially effective against weak or easily guessable passwords.
How it works
The process starts with compiling a list of potential passwords from data breaches, common password lists, or publicly available resources. Using an automated tool, malicious actors perform a dictionary attack, systematically testing each password against a target account or system. If a match is found, the hacker can gain access and carry out subsequent attacks or movements.
Examples
Malicious actors used password dictionaries to crack hashed passwords in several high-profile security incidents, such as the 2013 Yahoo data breach and the 2012 LinkedIn data breach. This allowed them to steal the account information of billions of users.
Defense measures
When creating or resetting passwords, users should use a combination of letters, numbers, and special characters, and avoid using common words or easily guessable phrases. Administrators can implement password complexity requirements in their policies to enforce these mandates across the organization.
Rainbow table attacks
A rainbow table attack uses a special table (i.e., a “Rainbow Table) made up of precomputed strings or commonly used passwords and corresponding hashes to crack the password hashes in a database.
How it works
Rainbow table attacks work by exploiting chains of hashing and reduction operations to efficiently crack hashed passwords. Potential passwords are first hashed and stored alongside their plaintext counterparts in the rainbow table, then processed with a reduction function that maps them to new values, resulting in a chain of hashes. This process is repeated multiple times to build the rainbow table. When hackers obtain a hash list, they can reverse lookup each hash value in the rainbow table—once a match is identified, the corresponding plaintext password is exposed.
Examples
While salting (a method of adding random characters to passwords before hashing) has reduced the effectiveness of rainbow table attacks, many hashes remain unsalted; additionally, advances in GPUs and affordable hardware have eliminated the storage limitations once associated with rainbow tables. As a result, these attacks continue to be a likely tactic in current and future high-profile cyber-attacks.
Defense measures
As mentioned previously, salted hashes have significantly reduced the effectiveness of precomputed tables; organizations should therefore implement strong hashing algorithms (e.g., bcrypt, scrypt) in their password processes. Administrators should also regularly update and rotate passwords to reduce the likelihood of rainbow table dictionary matches/hits.
In short, passwords aren’t perfect, but complex and sufficiently long passphrases remain a vital first line of defense against advanced password-cracking techniques. Tools like Specops Policy provide an extra layer of protection by continuously scanning Active Directory against a database of over 4 billion breached passwords. Contact us for a free demo today.
