Attackers know that the password is often the only security feature preventing access to your private information. In this video, you’ll learn about secure password storage, brute force attacks, and dictionary attacks.
Our passwords are often the only credential that’s preventing somebody from gaining access to one of our services. Occasionally, you’ll run into a service that stores these passwords in the clear, or in an unencrypted form, where anybody can read the password on that particular service if they know where to look. This is fortunately very rare, but occasionally you will run into an application that stores their passwords in this insecure method.
The best practice for passwords is to never store the passwords as plain text. If anyone does happen to come across that file or that database containing the passwords, they would effectively have everyone’s credentials. Unfortunately, if this is an application that the developers won’t change, then you’ll either have to continue using the application with those security concerns or remove that application from your network entirely.
So how should you store a password? One very common way is to store it as a hash. A hash is a cryptographic method that takes an input of information, like a password, and creates a fixed length string of text. We refer to this text as a message digest or a fingerprint. We call it a fingerprint because each type of input into the hashing function has a completely separate and different output than any other input.
Like a fingerprint, your password creates a very unique hash and no other type of input should make exactly that same hash. The goal is to create a hashing function that would be very difficult to have exactly the same fingerprint or hash between two different inputs. We refer to this duplication as a collision. And if we find that a hashing function has a number of these collisions, then we may decide to use a different type of hashing function.
Another important characteristic of a hash is once you create the hash, there’s no way to undo that process to get back to the original message. This is something that’s perfect for passwords because we could hash the password. But there would be no way to undo the hash to somehow derive what the original password happened to be. Here’s an example of some hashing functions. The hash we’re using here is specifically the SHA-256 hash function.
And you can see I have a number of passwords like 123456, 1234567, qwerty, and password. And you can see that we have the same length of hash for every single one of those inputs. But you can also see that the differences between these hashes are very dramatic between all four of these passwords. Even with a password like 123456 and 1234567, we’re only one letter is the different hashes are very, very different between them.
You’ll find the different operating systems and different applications use different hashing functions and store the hashes in different ways. This is the password file from a Linux device, and you can see it’s stored with the username, the number of the account, and then the password hash included on the same line. Although you can’t undo the hashing process to determine what the original password was, you could perform a brute force attack of the hash where you’re trying every possible password combination to see if it matches the hash that you’ve already stored.
This is called a brute force attack, and depending on the type of hash you’re using, it could take a very long amount of time to go through every possible password combination until you happen to find an identical hash. Let’s perform a brute force attack. And let’s use as a hash this value that we have here on the screen. To perform the brute force, we need to start stepping through every possible combination of letters, numbers, and special characters until we can match that hash.
So let’s start with the password of A-A-A-A-A. If we look at the hash of that value, we can see it does not match the hash that we were looking for. So let’s go the next one on our list, which would be A-A-A-A-B. And if we examine that hash, that doesn’t match. The next is A-A-A-A-C. That one also does not match. And you can see why this might take a very long period of time before we ever find a match.
If we keep going through this brute force over and over and over again, eventually, we’ll get to the word password, which does match the hash that we have here. So we were able to determine that in this case, the password that was used to create this hash is the word password. Performing a brute force attack online can not only be time consuming, but often, it’s not very feasible.
You would use a username with a particular password. When that didn’t work, we would try another password. When that didn’t work, we would try another password. But very quickly, we’re going to run into a lockout on this account, because after a certain number of failed login attempts, the system will automatically lock that account.
The hackers are much smarter than this. They will take the hash file offline. And they’ll begin performing the brute force attack themselves with their own application. They’ll perform the same calculation of the hash values. They’ll compare it to the hash that they’ve stored on their system. And they’ll keep going through all of them over and over again until they find a match.
This is obviously going to use a lot of CPU resources as we go through every possible password combination for every single account that we might have hashes for. Fortunately for the attacker, human beings like to use real words as part of their password. So instead of going through every single iteration of letters, numbers, and special characters, the attacker can instead use a set of words that they can find in the dictionary. We obviously refer to this as a dictionary attack. And we can assume that it’s going to take much shorter amount of time to go through a dictionary attack, because there’s a smaller number of words in a dictionary than there is for any combination of letters, numbers, and special characters.
Obviously, the attacker is hoping that the users have selected real words as part of their password. And if any have, they’ll be able to identify it with a dictionary attack. The attackers might also use a set of specialized word lists that they can download from the internet. For example, if they retrieved a set of hashes from a medical facility, they might want a dictionary that has more medical terms inside of it.
And if you think you can fool the hackers by changing an O to zero 0 or an L to a seven, they have already thought of this. So during the dictionary attack, they will also change out letters that are commonly substituted when people are creating a password. Even though the number of possible words you would go through is smaller, you’re still using a lot of CPU cycles. So you would probably have a distributed cracking method or use a graphical processing unit or your graphics card to be able to provide additional CPU for this cracking process.
The limitation from a dictionary attack, of course, is that anything that is not in the dictionary won’t be discovered by this attack. But if someone is using standard words like ninja, dragon, football, let me in, or password, a dictionary attack is perfect for finding these passwords.