Passwords | Entropy and Cracking

While navigating the internet we are asked for our login credentials at almost every website we use regularly. One of the most important login credential is our password or shall I say passwords since we have different passwords for different accounts (if you have just realized that you don't have different passwords then please go ahead and change them). This article talks about secure passwords, unsecure ones, how to choose a good passwords and how they can be cracked. This article is divided into 3 sections. Lets move on to the first one.

How are passwords stored?

Whenever you create an account on a website and punch in your password, that password that you typed in isn't saved in a database. It is instead runs through a pseudo-random functions (hash functions) which produces a hash which usually looks like pure gibberish but is actually quite useful in terms of security. Instead of the plain-text password its hash is stored in the database so that if that website is hacked and the passwords are leaked online all you get is gibberish and not the real plain-text password that the user entered at the time of creating his/her account. For example our password is 'geeksforgeeks' and we run it through a SHA256 hash function we get the result as

plain-text password: geeksforgeeks
Result: f8d59362da74ffe833332dc20508f12de6da6a9298c98b3b42873e7298fced78

Whenever a user logs in to the website they enter the same plain-text password on the client side which then runs through the same hash functions and if that hash matches with the one stored in the database then the user is authorized to use that account. If a different user chooses the same password then a situation called collision occurs due to both the hashes being the same. In such a case an extra bit of plain-text is added to the original password and then it is ran through the same hash function generating a unique hash. In the end both the hash and the extra plain-text are stored in to the database to recognize the user in the future. This method of storing passwords can be made more secure by running them through iterations of different hash functions.

Can they be cracked?

Despite of taking all precautions and keeping up with the best practices of information security things could still go wrong. If you are a fan of the show Mr. Robot like me then you must be familiar with the bitter truth that anything can be hacked. Let's say that a website was compromised and all of its users's passwords were leaked on the web available to you in the form of a text file, but since these passwords were stored in the form of hashes all we got in the text file was gibberish. Now there are two methods to crack these hashes.

1. Brute Force Attacks: Most of you must be familiar with this type of attack as it is the most common. As it is evident from its name it tries out all combinations of plain-text passwords runs them through the hash function and matches the gibberish obtained with the different hashes that are contained in our text file. You must think that this will take a lifetime running all permutations through a hash function and then matching them with the text file, but what if I told you that the hacker has access to a high performance server through his computer and the server uses 4 of the latest NVIDIA graphics cards which gives it the ability to run 40 billion hashes/second. Now it has only become a matter of seconds. Now using a software called CUDA HashCat we can get started with cracking. So let's say we have a file called test.hash containing all the hashes and we want to get all 7 character passwords with lowercase letters we run the following command.

   ./hashcat -a 3 test.hash ?l?l?l?l?l?l?l

   a stands for attack, 3 is the attack mode i.e. brute force and ?l stands for lowercase letters and repeated 7 times means 7 lowercase letters. In a matter of seconds all the combinations whose hash matched those in test.hash will be displayed on screen. If we want to crack passwords with 6 lowercase letters and 2 digits in the end we have to write this

   ./hashcat -a 3 test.hash ?l?l?l?l?l?l?d?d

   With the increase in the number of characters it slows down as the number of combinations increase which can be calculated as the number of characters in the character set to the power of the length of the password

   First Example: 26^7
   Second Example: 26^6*10^2
   

   As the search base gets bigger it becomes harder to crack these passwords even for simple hash functions like MD5 or SHA1 in such cases brute force attacks are not feasible and we move on to Dictionary attacks.
2. Dictionary Attacks: We have a dictionary of commonly used passwords stored in a text file and we try those and match them to the hashes obtained from the site's database. This is much more efficient than brute force. There is a password list called "rock you" which has a collection of millions of such passwords. Lets run such an attack.

   ./hashcat -a 0 test.hash ./dictionaries/rockyou.dict

   0 stands for dictionary attack mode and we provide the path to our dictionary file. These attacks can be customized by applying a set of rules to the dictionary and then run the hashes. These rules are nothing but the usual variations that people try thinking that they are making their passwords more secure. It can be replacing I's with 1's or E's with 3's. Let's say you have all your rules stored in a file called myrules.rule now if we run the attack using this file it will run a series of dictionary attacks applying one rule at a time to that whole dictionary. For that we need to run the following

   ./hashcat -a 0 -r ./rules/myrules.rule test.hash ./dictionaries/rockyou.dict

Choosing a strong passwords

The popular online comic xkcd tried to depict the problem that people have with choosing and remembering passwords through a comic strip. It talks about password entropy. What is it exactly? Password Entropy: It is simply the amount of information held in a password. Higher the entropy of a password the longer it takes to get cracked. So if you have a 6 character password then the entropy is very low and it can be easily brute forced. If you have a 10 character password with symbol then you are safe from brute force attack but it is still possible to crack it with a dictionary. Referring to the comic strip above it talks about "correcthorsebatterystaple" as a possible choice for a password. Since its 4 words appended together it is 'un-brute-forcable'. Even without using special characters it is a good password because of its high entropy and it is also difficult to crack by a dictionary but its not impossible. Instead of using combinations of characters we can use a dictionary attack with different english words combination. To make it really secure take 3 or 4 uncommon English words and stick a special character in the middle of a word that makes it un-brute-forcable and almost dictionary proof. But if you think that all of it is a pain, then you can just use a good password manager with just one master password to remember.