Passwords are by far the most common type of user authentication.
they are popular because the theory makes
perfect sense to individuals and is reasonably simple to implement for developers.
on the other hand poorly constructed
passwords can pose security flaws.
A well-designed password-based authentication
process does not save the user's actual password.
This would make it far too simple
for a hacker or a malevolent insider to access all of the system's user
accounts.
We will learn how to crack passwords
and simultaneously try to make your passwords as brute force resistant as
possible.
1 – What is password tracking?
2 – Techniques of password cracking
3 – Password creaking tools
4 – Protection against hackers
1 – What is Password Tracking?
password cracking is the process of identifying
an unknown password to a computer or network resource using a program code.
It can also assist a threat actor in
gaining illegal access to resources.
malicious actors can engage in
various criminal activities with the information obtained through password
tracking.
The procedure might entail comparing
a set of words to guest credentials or using an algorithm to guess the password
repeatedly,
Password tracking can be done for
several reasons,
But the most malicious reason is in
order to gain unauthorized access to a computer without the owner's awareness this
results in cyber crime,
Similar as stealing paswards for the purpose of penetrating banking information,
othernon-malicious reasons for word
cracking do when someone has lost or forgotten a password,
another example of non-malicious password
cracking,
may take place if a system
administrator is conducting tests on password strength as a form of security
test,
this enables so that the hacker
cannot easily access protected systems,
the best way that users can protect
their passwords from cracking is to ensure that they choose strong passwords,
generally watchwords must contain a
combination of mixed case arbitrary letters integers and symbols,
strong passwords should never be actual
words in addition strong passwords are at least eight characters long in many password
protected applications users are notified of the strength of the password they
have chosen upon entering it,
the user can then modify it and strengthen
the password based on the indications of its strength.
2 – Techniques of password cracking
Asking the customer for their
password
is simple approach to hacking
1
– Phishing
A phishing email directs the unwary
reader to a counterfeit login page linked with whatever service the hacker
wants to access,
generally by demanding the user fix
some critical security flaw or aid in a database reset,
that page then captures their
password which the hacker can subsequently exploit for their own purpose.
2
– Social Engineering
Social engineering influences the
victim to get personal information such as bank account numbers or passwords.
the strategy is popular among hackers
because they realize that humans are the gateway to vital credentials and information,
through social engineering the
employee tried and true tactics to exploit and influence age-old human
tendencies.
rather than devising novel means to breed
secure and advanced technologies.
it has been demonstrated that many
firms either lack adequate security or are overly friendly and trustworthy even
they should not be,
they allow granting access to
critical facilities based on a uniform or a sob story,
3
– Dictionary Attack
A hacker searches a password
dictionary for the correct password in the case of a dictionary attack,
password dictionaries cover many
themes and of mixture of topics such as,
politics
movies and
music groups
user's failure to create a strong
password is why this approach efficiently cracks passwords till today.
simply said this assault employs the
same terms that many individuals use as passwords,
a hacker can compare the password
hash obtained to hashes of the password dictionaries to find the correct plain
text password.
4
– Rainbow Table
Now that the passwords have been
hashed the hackers attempt to achieve authentication by breaking the password hash,
they accomplish this by applying a rainbow
table which is a set of precomputed hashes of portable password combinations,
hackers can use the rainbow table to
crack the hash resulting in guessing your password,
As a result it retrieves the
password hash from the system and eliminates any need to break it,
Furthermore it does not necessitate
the discovery of the password itself.
The breach is accomplished if the
hash matches,
5
– Brute Force
In a brute force assault the
attacker attempts multiple password combinations until the correct one is
identified,
The attacker uses software to
automate this process and run exhaustive password combination in a
substantially shorter length of time.
With the growth of hardware and technology
in recent years such programs have been invigorated.
It won't be quick if your password
is more than a few characters lengthy but,
it will eventually reveal your
password.
Brute force assaults can be sped up
by throwing more processing resources at them.
3 – Password Creaking Tools
With so many different techniques
coming together to correct passwords none of them are useful without the right
tools,
there are a plethora of scripts and snippets
of code that can retrieve passwords from either encrypted storage or from the
hash digest.
let's go through some of these tools
Kane
and Able
Kane and able is a password recovery
tool for microsoft operating systems,
it allows easy recovery of various
kinds of passwords by sniffing the network cracking encrypted passwords using dictionary
brute force and crypt analysis attacks.
Recording vibe conversations,
Decoding scrambled passwords,
Recovering wireless network keys etc,
are some of the other features of k
enable,
lot of new features like,
arp poison routing which enables
sniffing on switched lands and man-in-the-middle attacks,
the sniffer in this version can also
analyze encrypted protocols such as ssh1 and https,
while containing filters to capture
credentials from a wide range of authentication mechanisms.
it also ships routing protocol authentication
monitors and route extractors,
dictionary and brute force crackers
are also present along with common hashing algorithms and several specific authentications
password hash calculators and other features.
john
the ripper
john the ripper is a password
tracking application that was first released in 1996 for unix-based computers.
it was created to evaluate password strength
brute force encrypted hash passwords and break passwords using dictionary
attacks.
it can use dictionary attacks
rainbow tables and other attacks depending on the target type.
rainbow
crack
rainbow crack is a password tracking
application that uses time memory trade-off algorithm to crack password hashes
with rainbow tables.
rainbow tables make password
cracking more easier and faster than traditional brute force attacks,
it is like a wordbook containing nearly
every possible password and the pre-calculated hashes.
Treating this kind of dictionary
takes much more time than cracking a single hash but after that you can use the
same dictionary over and over again.
this procedure might take a long
time however once the table is ready it can break passwords far quicker than
brute force methods.
4 – Protection against hackers
with so many tools ready to nab our passwords
there are certain set of rules users can follow to protect their credentials
from being compromised.
let's cover some of these guidelines,
Longer passwords are required making
the brute force mechanism tougher to implement.
Longer passwords and passphrases
have been demonstrated to boost security significantly,
However it is still critical to
avoid lengthier passwords that have previously been hacked or that feature
often in cracking dictionaries.
This password policy encourages
users to establish passwords that do not contain personal information,
As previously said most users create
passwords utilizing personal information such as hobbies nicknames pet or
family member names etc,
if a hacker has access to personal information
about a specific user for,
example via social media they will
test password combinations based on that knowledge.
password regulations should compel
users to distinguish between security and convenience.
users should be prohibited from
using the same password for all services,
password sharing between users
including those who work in the same department or use the same equipment
should be avoided,
A single breached password doesn't affect
your other accounts with this policy.
some password regulations
necessitate the creation of a pass phrase rather than a password.
while passphrases serve the same objective
the length make them more difficult to break.
in addition to letters a good pass should
include numbers and symbols.
passwords may be easier for users to
remember than pass phrases,
however the latter is much more
breach resistant
two-factor authentication or 2fa can
help secure an online account or even a smartphone.
2fa does this by asking the user to provide
two forms of information,
a password or a personal
identification pin and a code texture to the user's,
smartphone or a fingerprint before accessing
whatever is secured.
this helps discourage unauthorized entries
to an account without the original owner's permission.