Blog The linguistic musings of a creative virtuoso.

Cracking Passwords

This is for whomever keeps trying to access my account and requesting and password reset, I invariably, but mainly politely, would like to ask you to cease and desist. You have been trying for many years to gain control of my account and it's starting to get on my nerves now. You will not be able to crack my password. I can promise you that; and here's why...

Before I begin my little rant about why you would be wasting your time trying to crack[1] passwords, I'd like to ask that you do not confuse me with being an expert on the dark-arts of cracking as I do not believe in its practice and my knowledge on the practice only extends to the depths of this article. Therefore, I cannot and will not speak upon anything further other than the concepts discussed below.

Now let us just assume you are trying to use a method of penetration called Brute Force. For those of you who don't know, brute force password cracking relies on a specific type of software. All it does essentially is run through any combination of words and numbers supplied by a "word list", submitting them over and over again until the correct password has been selected. You would think this type of cracking would be impractical but it has been known to work throughout history and can be pretty efficient given a little knowledge about the account owner.

Now, you can try a brute force attack on a login page. I'm sure a lot of attacks happen on web servers on a daily basis, most of which are automated from botnets. You would think in theory, these "online dictionary" attacks would be an obvious route to go, however, in practice, they're extremely limited to the rate at which said target server is allotted to process each successfully submitted username/password request. Which in turn makes it that much more impractical considering many servers will stop responding after so many failed attempts to log on. 

For the sake of argument, let us go ahead and say that a server has a vulnerability which enabled our cracker to gain access to the SQL database. Our cracker would then start the rigorous task of searching manually for hashed passwords; needing to siphon through all available databases and their applicable tables and the tables data that's contained therein. Assuming our cracker finds what they're looking for, they can then download these hashed passwords to a text file and then use this file as a word dictionary in hopes to exploit access to said account by means of brute force. The only way you can brute force an attack so quickly is to know the end-resulting password hash. Even if you were successful enough to gain a text file containing hashed passwords for the server, attempting to brute force against a website's login page would render the server inaccessible because you would unwittingly DDOS[2] the server before you were able to gain control of said account anyway.

Nowadays, administrators are salting[3] each password, which protects against users choosing weak passwords (e.g. standard dictionary words). On top of that, administrators aren't using the mainstream hashes like MD5 or SHA1 but instead are making use of Key Derivation Function[4] like you will see with algorithms such as BCrypt or PBKDF2. These algorithms enable you to define a cost factor, which defines how many iterations are done. Thus, allowing you to control how many times it is used to calculate a single hash depending on what is feasibly possible by your environment. This would increase the computation time per-guess significantly. We are talking about anywhere up to several tenths of a second per-guess. 

Here is an estimate of the time required for an exhaustive password search attack, when the password is just a random sequence of lowercase Latin letters. The most complex task for password search attack is SHA-256 calculation. Special SHA-256 hardware or GPU can be used to accelerate password search attacks. Now modern GPU can provide about 10 times more performance for SHA-256 calculations than modern CPU and special SHA-256 hardware can provide about 20 times more performance than GPU.

Let us assume that our cracker has a budget of about $2,000 (for GPUs) so they can check 10,000 passwords per second. Now an organization with a budget of about $109 (one billion US dollars) can check three times 1012 (one trillion) passwords per second. Let us also assume that the processor in use doubles its performance every two years; therefore, each additional Latin letter of a long password adds about 9 years to an exhaustive key search attack. Staying true to the parameters outlined previously, the following are just a few results of the estimated time to succeed in an attack:

Password Length   |   Cracker Attack     |   Organization Attack
    1                                1 s                             1 s 
    3                                2 s                             1 s 
    5                                30 min                       1 s 
    7                                14 days                      1 s 
    8                                1 year                        1 s 
    9                                10 years                     2 s 
    15                              64 years                     10 years
    19                              100 years                   46 years


With that being said, to the person trying to gain access to my account, I'm positive you're not going to get into my account anytime soon but continue to try as I'm sure you're determined to do so for whatever reason. Lol.

---------------------------------------

1 — I use the word "crack" instead of "hack" because, in my humble opinion, these are two completely different ideologies. A hacker will develop, build, and improve a person, place, and/or anything whereas a cracker will deface, break, and intrude on a person, place, and/or anything.
2 — DDoS or "Distributed Denial-Of-Service": Form of electronic attack involving multiple computers, which send repeated HTTP requests or pings to a server to load it down and render it inaccessible for a period of time.
3 — Salt (cryptography) In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. Salts are closely related to the concept of nonce.
4 —Key Derivation Function (KDF) In cryptography derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. ... Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.


0

Leave a Comment