In recent years, there has been an increase in data breaches affecting upwards of hundreds of millions of users each time a company is compromised, some of which have been due to weak passwords. You may be inclined to believe that a sophisticated and experienced hacker is responsible for these events. However, with the appropriate hardware being utilised, password ‘crackers’ can run automatically, tasked with revealing passwords.

Alcorn Group’s Password Hash Cracker

Here at Alcorn Group, we have built a computer system specifically for performing brute-force attacks and cracking password hashes. The system is utilised by our security consultants to attempt to crack any hashes accessed during engagements. More commonly, it is used on Red Team engagements when the consultant can access and retrieve user hashes from Active Directory. The components utilised for this system build are listed below, consisting of off-the-shelf hardware:

Inside the Password Hash Cracker

As a result of the enormous computational power this system offers, it is capable of running through every possible 8-character long NT LAN Manager (NTLM) password hash within five and a half hours, as demonstrated below:

8 Character Password Crack Time

However, by adding only one additional character to the password (9-characters) it took approximately 100 times longer to crack, a total of 21 days and 13 hours:

9 Character Password Crack Time

These statistics indicate just how important length is when determining a password. Increasing the length by an additional letter increases the time exponentially.

How Can You Secure Your Password?

While password security and complexity requirements can be written into the code of the application, the responsibility of maintaining a secure password falls to every individual user. To limit the chances that your passwords will be cracked, the National Institute of Standards and Technology (NIST) offers the following guidelines for password complexity:

For additional protection, it is also highly recommended that the following are taken into consideration:

Good password hygiene is the key to ensuring that your systems are secured. The more complex and difficult to guess your password is, the safer it is from malicious attackers and their tools. One method of ensuring this, is to utilise a password management tool. Password management tools are easily available and are a quick and safer method for keeping all your passwords in one secure place. By combining a strong long pass phrase to gain access to the tool, local encryption of passwords, and a built in password generator that can generate strong, unique and long passwords for you automatically, your passwords will become exponentially safer without the need to memorise all of them.

What is a Password Hash?

Successful password cracking depends heavily on the robustness of an application’s password security mechanisms. To assist in protecting against data breaches, storing passwords securely is essential when developing a new piece of infrastructure or application, however, it is often overlooked. Hashing passwords is a common approach to achieving this extra layer of security.

A hash is a one-way function that generates a representation of data (in this case, a password), using an algorithm to map the data, or password of any size to a fixed length representation. For example, when a user signs up for an account, the chosen password is stored as the generated hash, rather than the actual characters that the user typed. When the user attempts to log in with their password, the entered password is passed through the same hash function and then compared to what is stored in the application’s database. If the two hashes are the same, the user is granted access to the application. This method offers an alternative to the storing of passwords in plain text, adding extra complexity for a malicious attacker if they were ever retrieved during a data breach.

What is a Brute Force Attack?

Hashing a password is not enough protection to stop a malicious attacker, as brute-force attacks can be conducted with an appropriate degree of computational power. Brute-force attacks can be used to crack passwords by running a program that calculates each and every possible password combination, hashing it before comparing it to the hashed password that is being cracked. Once the two hashes have been matched, the password is known, or cracked.

What is Salting?

To assist in combating password cracking, hashes can be ‘Salted’. Salting is an additional layer of protection where a unique value is added to a password before it is hashed, creating a different hash value. Hash functions are designed in such a way that the slightest change to the input (the password to be hashed) drastically affects the output. Therefore, salting a password prior to hashing it complicates the password cracking process. The malicious attacker would require the unique salt value for that particular password in addition to the password hash to retrieve the password.

Alcorn Group is committed to continual investment in password security. We will continue to utilise hardware such as our password hash cracker during engagements in order to crack simple passwords, educating our clients on the importance of password security.

Contact Us