Today we will learn about Ethical hacking: How to crack long passwords.
They serve as the keys to your financial, social and entertainment worlds online and are one of the most commonly used tools to verify your identity, but for the most part, passwords are relatively easy for hackers to crack. In fact, according to one survey, the average user has at least 27 separate online passwords to remember, which means most users keep their passwords simple, similar, and memorable. Fortunately, as an ethical hacker, you may only need to crack one to get where you need to go.
However, as cyber hygiene increases, password requirements become more complex, and cybersecurity training continues to become a common part of employee training, white-hat hackers will soon be faced with longer and more complex passwords as they ply their trade.
But as they say, when there’s a will, there’s a way. In this article, we will look at the tools and techniques available to help you crack or bypass longer passwords. However, you will need to supply the willpower.
When traditional tools fall short in Ethical Hacking
While Microsoft requires passwords to meet certain complexity requirements, such as a minimum password length of at least eight characters, Google also recommends that passwords be at least 8 characters long.
Although these are only two big players in the industry, it represents a larger trend of users moving to larger and more complex passwords. Of course, this happens because companies know that hackers can use automated tools to crack anything that’s seven characters or less. However, as more characters are added combined with more complex characters, it can easily take a century for these same tools to break them. In fact, it grows exponentially as more characters are added:
- 5 characters = 10 seconds
- 6 characters = 1000 seconds
- 7 characters = 1 day
- 8 characters = 115 days
- 9 characters = 31 years
- 10 characters = 3000 years
Obviously, other factors such as complexity and unpredictability play a role in determining password strength. But password length can be the biggest hurdle for hackers to overcome in Ethical hacking.
Additionally, the method used to attempt to crack a password can affect success. For example, rainbow table and dictionary attacks (where precomputed passwords, hashes, or lists of words are compared to user passwords) must have the target’s password in the database to work. If it is not, it will not be possible to crack it. And as seen above, brute force can easily take an almost unimaginable amount of time to crack a password.
Attempting to crack longer passwords
Once passwords exceed seven characters, they can be characterized as long, with many common tools not powerful enough to cope with the multitude of variables on their own. In this case, attackers must start making assumptions about the target password and add them to the tools they use. For example, a dictionary attack can be supported by knowledge of common words, phases, numbers, dates, names, or other potential characters of interest to the target.
If that doesn’t work, password cracking tools like John the Ripper, Ophcrack, and Cain & Abel can be tuned to crack hashes generated by known systems. For example, instead of using word lists, John the Ripper can be formatted to use Windows NT or LAN Manager password hashes. Although it may take several iterations, if an attacker is able to gain access to the domain, list all users in the domain, and run John the Ripper in several iterations along with some data cleaning, they may eventually reveal access to a working password.
Other tools, namely L0phtCrack, are designed specifically to attempt to crack Windows password hashes. While it may not be the hacker’s original target or target, finding the weakest of all available targets could allow an attacker to find an alternate way in.
Finally, password cracking can also vary depending on the type of system targeted. For example, tools like THC Hydra were created to crack network login passwords, including a range of protocols from Cisco, HTTP and VMware, while Brutus targets POP2, FTP, SMB and Telnet services.
Find another way
As you have seen, brute forcing long passwords using common tools, techniques and computing resources is not a feasible or reliable technique. Fortunately, an attacker has other avenues to explore when it comes to gaining access to a system. In other words, does the attacker really have to crack the password or just bypass the prompt?
If it’s the latter, the attacker has several options. The first is social engineering, which, as the 2019 Verizon Data Breach Investigations Report suggests, is a very common and prolific hacker method. Specifically, of the 2,013 data breaches analyzed in the Verizon study, phishing was involved in 32 percent of breaches and 78 percent of cyber espionage cases. A well-placed phishing or spearphishing email, or a very patient attacker, can often use human error as a way to get the credentials they need.
The second, more complex method is to collect a physical image of the target computer. However, this required physical access to the victim’s computer or laptop. One approach involves using a bootable flash drive computer such as the very fast Arch Linux. From there, an attacker can use one of a variety of vulnerabilities to gain access to a device’s Windows image and copy specific files or an entire directory, depending on their goals and the amount of time they have. Although it is designed to help restore access to a computer legally and legitimately, it can also be used by attackers in Ethical hacking.
As with many other aspects of a cyberattack, hackers must be comfortable using a wide variety of tools and techniques against their targets’ digital and human vulnerabilities. However, because password requirements cause users to generate longer and more complex passwords, hackers will need to evaluate whether the cost of cracking a password is really worth it—especially when less technical or other system or programmatic attacks might be more fruitful.
Sources of Ethical hacking
- Survey Says: People Have Way Too Many Passwords To Remember, BuzzFeed News
- Password must meet complexity requirements, Microsoft Docs
- Create a strong password & a more secure account, Google Account Help
- 2019 Data Breach Investigations Report, Verizon
- John the Ripper password cracker, Openwall
- Download Cain & Abel, Softpedia