In recent years, there has been an increase in data breaches affecting upwards of hundreds of millions of users each time a company is compromised, some of which have been due to weak passwords. You may be inclined to believe that a sophisticated and experienced hacker is responsible for these events. However, with the appropriate hardware being utilised, password ‘crackers’ can run automatically, tasked with revealing passwords.
Alcorn Group’s Password Hash Cracker
Here at Alcorn Group, we have built a computer system specifically for performing brute-force attacks and cracking password hashes. The system is utilised by our security consultants to attempt to crack any hashes accessed during engagements. More commonly, it is used on Red Team engagements when the consultant can access and retrieve user hashes from Active Directory. The components utilised for this system build are listed below, consisting of off-the-shelf hardware:
- Intel i5 CPU
- 32GB RAM
- Gigabyte H110-D3A (Bitcoin Mining) Motherboard
- Corsair AX1600i Power supply (running at capacity)
- 4 x Gigabyte GeForce RTX 2080TI’s
- 1 x Asus Geforce GTX 1080
- 1 x Asus GTX 960
- 6 x PCI-E USB3.0 Risers
- Hydra III 8 GPU Case
As a result of the enormous computational power this system offers, it is capable of running through every possible 8-character long NT LAN Manager (NTLM) password hash within five and a half hours, as demonstrated below:
However, by adding only one additional character to the password (9-characters) it took approximately 100 times longer to crack, a total of 21 days and 13 hours:
These statistics indicate just how important length is when determining a password. Increasing the length by an additional letter increases the time exponentially.
How Can You Secure Your Password?
While password security and complexity requirements can be written into the code of the application, the responsibility of maintaining a secure password falls to every individual user. To limit the chances that your passwords will be cracked, the National Institute of Standards and Technology (NIST) offers the following guidelines for password complexity:
- An eight-character minimum and 64-character maximum length
- The ability to use all special characters but no special requirement to use them
- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
- Restrict context specific passwords (e.g. the name of the site, etc.)
- Restrict commonly used passwords (e.g. [email protected], etc.)
- Restrict passwords obtained from previous breach corpuses
For additional protection, it is also highly recommended that the following are taken into consideration:
- Avoid context-specific words. For example, if you work as a Corrections Officer, avoid using the word ‘Officer’.
- Avoid words found in a dictionary. Common words from dictionaries are frequently tried first.
- Use passwords in conjunction with Multi-Factor Authentication (MFA), biometrics, or single sign-on (SSO) systems.
- Avoid reusing passwords across different services to reduce the chance of compromise on multiple accounts.
- Think about utilising passphrases instead of passwords. Passphrases contain multiple words which form a memorisable phrase which is not easily guessed and is an easy method of increasing the length.
Good password hygiene is the key to ensuring that your systems are secured. The more complex and difficult to guess your password is, the safer it is from malicious attackers and their tools. One method of ensuring this, is to utilise a password management tool. Password management tools are easily available and are a quick and safer method for keeping all your passwords in one secure place. By combining a strong long pass phrase to gain access to the tool, local encryption of passwords, and a built in password generator that can generate strong, unique and long passwords for you automatically, your passwords will become exponentially safer without the need to memorise all of them.
What is a Password Hash?
Successful password cracking depends heavily on the robustness of an application’s password security mechanisms. To assist in protecting against data breaches, storing passwords securely is essential when developing a new piece of infrastructure or application, however, it is often overlooked. Hashing passwords is a common approach to achieving this extra layer of security.
A hash is a one-way function that generates a representation of data (in this case, a password), using an algorithm to map the data, or password of any size to a fixed length representation. For example, when a user signs up for an account, the chosen password is stored as the generated hash, rather than the actual characters that the user typed. When the user attempts to log in with their password, the entered password is passed through the same hash function and then compared to what is stored in the application’s database. If the two hashes are the same, the user is granted access to the application. This method offers an alternative to the storing of passwords in plain text, adding extra complexity for a malicious attacker if they were ever retrieved during a data breach.
What is a Brute Force Attack?
Hashing a password is not enough protection to stop a malicious attacker, as brute-force attacks can be conducted with an appropriate degree of computational power. Brute-force attacks can be used to crack passwords by running a program that calculates each and every possible password combination, hashing it before comparing it to the hashed password that is being cracked. Once the two hashes have been matched, the password is known, or cracked.
What is Salting?
To assist in combating password cracking, hashes can be ‘Salted’. Salting is an additional layer of protection where a unique value is added to a password before it is hashed, creating a different hash value. Hash functions are designed in such a way that the slightest change to the input (the password to be hashed) drastically affects the output. Therefore, salting a password prior to hashing it complicates the password cracking process. The malicious attacker would require the unique salt value for that particular password in addition to the password hash to retrieve the password.
Alcorn Group is committed to continual investment in password security. We will continue to utilise hardware such as our password hash cracker during engagements in order to crack simple passwords, educating our clients on the importance of password security.