Attackers have many tools for attacking passwords and user credentials. In this video, you’ll learn about password hashes, brute force attacks, and dictionary attacks.
We use usernames and passwords to authenticate into many different systems. This could be an operating system or an application. But that password has to be stored somewhere. You may, in some rare occasions, find an application that stores a password as plain text. It is in the clear, as we say in the industry, where anybody who comes across that file would be able to read everyone’s password without any type of encryption, hashing, or any other type of security. This is obviously a significant security concern.
If we’re storing passwords as plain text, then anyone who gets their hands on this file will effectively have access to all of your accounts. Unfortunately, if you do find an application that’s storing passwords this way, there’s not much you can do. You can, of course, bring this up to the application developer and ask them to provide you with a version of the application that doesn’t store these passwords. But if they’re not able to make changes to the application, you may want to consider using a different type of application.
Most of the applications and operating systems that store passwords will store that password as a hash. A hash is designed to take a variable length input but represent it as a fixed length string. We often refer to this hash string as a message digest or a fingerprint. This means that, when we store your password, we’re not actually storing the actual password. We’re storing a fingerprint of what that password might be. Once you store that password as a hash, there’s no way to undo the hash and somehow retrieve the original password.
This is one of the main reasons we store passwords as hashes. If somebody does come across this file full of usernames and hash passwords, they still wouldn’t have access to the passwords. Here’s an example of what would be saved in that hashed password file, instead of storing the passwords in plain text. The passwords are very easy to read in plain text. You could see one password is “123456.” Another password is the word “querty.” And this makes it very simple, if someone wants to gain access to these accounts. But if you hash the value “123456,” you get this very long string. Notice, if you hash the password “1234567,” you get a very different hash.
And of course, there’s no way to undo these hashes and somehow retrieve the original password. This format that I’m using here for hashes is a SHA-256 hash. And you’ll find this hash method used for many different types of applications. Here’s a password file that I pulled from one of my systems. It has a set of names. It has an account number associated with each account. And then this long string is the hashed password for each of these individual accounts. The method that’s used to create the hash in this example is different than the one I used in the last example.
That’s because different applications and different operating systems may use different methods and different hash algorithms to store your passwords. So if there’s no way to undo the hashing process, how do hackers manage to get a username and password when they steal these password files? To be able to find these passwords, they use a brute force attack. That means they go through every possible password, obtain the hash for that password, and then compare that hash to something that may already be stored in the password file.
As you can imagine, going through every possible iteration of a password can take an extensive amount of time. And it does take time to go through a brute force attack, until you finally come up with some matches. Let’s take an example of a brute force attack. Let’s say that a hacker has obtained this long hash file. You can see that it ends in 42 delta 8. So the hacker will now go through every possible iteration to try to find this particular hash. So let’s start with hashing the password “aaaaa.” We can see the hash result from that, and we can see that that hash does not match.
So let’s do the next possible password, “aaaab.” We can see the hash that is created for that password. We’ll compare it to the stored hash. We’ll see that that hash does not match. And we’ll continue going through this process for each individual password. Eventually, you’re going to get to a password called, in this case, “password.” We can see here is the hash for the word password. And notice that the hash that’s been created matches the hash that’s in the password file.
So we know, for this particular user account, the user is using the word password as their actual password. There may be some cases where people will try to perform a brute force attack in an online form, which means they’re going to go to a login page. They’re going to try to type in a username and password to see if those two happen to be a match. This is probably going to take some time because you have to put this into a login page on the site. And with most systems and applications, you’ll find that it will automatically lock out an account after a certain number of incorrect password attempts.
The vast majority of these types of brute force attempts are going to occur offline. The hackers will obtain the list of the usernames and the hashes. And then offline, they’ll run through every possible iteration to try to find a match. So once they obtain this file, they can spend all of the time they would like offline trying to recreate what this particular password might be. And they don’t have to worry about a system locking them out or slowing them down. The hackers may also use a number of techniques to speed up this brute force process.
One of these methods is called a dictionary attack. Instead of trying to go through every possible iteration of characters to try to find these passwords, let’s try using some names that you would find in a dictionary. We’ll go through every word in the dictionary. We’ll calculate the hash for each of those words. And we’ll see if those hashes match what’s in the password file. You can also find word lists to download online, so you have effectively your own dictionary of words. And there are a number of word lists that are customized by lines of work.
For example, if you’re in the medical industry, you may find that your dictionary of words is very different than the words you might find in the IT industry. The software that’s used for these brute force attacks can also modify letters to try to find combinations of those. So if someone wants to use “password,” but instead substitute the “a” for an ampersand and the “o” for a “zero,” the software can automatically take that into account and try those iterations as well, as it goes through the dictionary.
Again, this does take time, as we go through the entire list of names to try to find a match. But since the number of words that we’re trying is so much smaller than every possible example, we may be able to find a large number of matches without having to go through the much longer brute force attack. You also find a number of distributed cracking methods, especially in the cloud, where you can use many CPUs trying to perform these brute force attacks all at the same time.
And people have found that the GPUs in our video cards and video adapters are very fast at performing these functions. And many of the software applications that perform these cracks can use that GPU to speed up the process. The results of a dictionary attack are going to go through the list of dictionary words, find the common names, and try to find matches in our file. So you may find that common words like ninja, dragon, football, let me in, or password are hashes that can be found relatively easily by simply going through a dictionary attack.