Cracking Dictionaries

WHAT YOU NEED TO KNOW

Passwords are the standard authentication factor across sites and systems, but how we deal with passwords has changed over time.

Today, password hashing is a critical security measure organizations should leverage to protect passwords. Because many organizations leverage password hashing to protect passwords, cracking dictionaries have evolved to crack those password hashes.

Here is a quick overview.

1 What Are Cracking Dictionaries?

Cracking dictionaries are large lists of data, often cleartext strings, that can be used to crack passwords. These lists can include words in the form of dictionary words, common passwords, iterations of common passwords, and exposed passwords. They can also contain passwords that used to be hashed but have been subsequently cracked because they were stored in a weak password hashing algorithm.

As data breaches and password exposure increases year-over-year, more-and-more dictionaries of reverse- engineered hashed passwords are emerging.

7 Cracking Dictionaries & Passwords Explained

Passwords have been a common In the digital age, as major data feature of the internet landscape since breaches are happening almost daily, its inception, and until recently, they cybercriminals can get access to more were the only thing protecting your passwords and are able to crack data. password hashes faster as technology advances. Cybersecurity experts recommend multi-factor account protection with Why Cybercriminals Prefer to Use things like biometrics, authenticators, Password Cracking Dictionaries and two-factor authentication, but many people still do not turn on MFA if This is where cracking dictionaries can it is optional because it takes longer to offer a benefit. Bad actors can use access their account. MFA is not a entire databases of pre-cracked standard for many websites and many passwords, common passwords, internal systems. Passwords are still leaked passwords, and standard the standard authentication factor dictionary words to try and hack into because no other method has proven an account, without the time and to be easier yet, while also being more complexity of a social engineering secure. attack. This type of attack is quick, so the victim often won't know of the How we deal with passwords has also unauthorized access until it's already changed over time. Ten or fifteen years too late. ago, it wouldn't have been unusual to walk past a colleague's computer and see a post-it note with their password scribbled on it stuck to their screen. Such a huge security mishap may seem shocking today, but it was common in a time when data breaches were rare and cybersecurity awareness was lacking.

6 Over the years, cybercriminals have But these dictionaries can also be developed a good understanding of useful for standard brute force attacks what a typical password looks like, and and password spraying attacks. they conduct their attacks based on this information. With a cracking • A dictionary can make a typical dictionary, attackers apply the list of brute force attack easier. In a brute cracked passwords against a system force attack, an attacker tries to and try to gain access. attempt all possible combinations of a password to gain access to an • This is called a dictionary attack, account. It makes brute force which is a form of a brute force attacks easier because it reduces attack. A dictionary attack is where the number of possible the attacker, instead of trying all combinations. It also can increase possible combinations, tries the success ratio by using password from a dictionary file. commonly used password The file will have some of the most combinations. commonly used passwords and iterations to those passwords since • A dictionary can also make a so many people use similar password spraying attack easier. passwords to their old passwords. Password spraying is an attack that attempts to access a large number of accounts with usernames and pairs them against a few commonly used passwords. With a dictionary, it is possible for attackers to identity the most common passwords and attempt to use those passwords in a password spraying attack.

6 How Ethical Hackers Use Password How Data Breaches Make the Cracking Dictionaries Problem Worse

However, it's not just hackers who use According to Forbes, just the first half cracking dictionaries, legitimate of 2019 saw 3,800 publicly disclosed security professionals do as well. data breaches, amounting to 4.1 billion Ethical hackers can also use this data exposed records. What makes these to break hashing algorithms and figures even more alarming is that the conduct controlled data breaches to number of breaches in 2019 increased demonstrate how insecure a system by 54% compared to the previous is. This often happens in a year. The problem is, with each professional setting, but there are also additional breach, more valuable data hash cracking websites available goes into the hands of these bad online where you can put in a hashed actors. version of a password, and it will crack it, telling you the password. When a large company has their login credentials stolen, cybercriminals now have a huge set of data that provides Example password: Chocolate1 them insights, such as which Hash in SHA1: passwords are the most popular, for 2285F929D38932996BD99687EB example, which sports team names BD732EA3B18AED become common passwords in that area, and so on. These passwords get Putting this hash into the website added to dictionaries. This data is still CrackStation, it returned the password extremely valuable even when the almost instantly. password has been hashed.

These websites use huge dictionaries of hashed data, some of this data is hashed common passwords, some is dictionary words, some is entire Wikipedia articles, and so on. For the SHA1 and MD5 hashes alone, CrackStation has a lookup table with 15 billion entries.

6 Password hashing has long been How Can Organizations Secure considered a secure way of storing Passwords and Make Passwords passwords. Hashing involves taking Harder to Crack? the native password, for example, "Yellow3", and converting it into a One way to protect your password is string of numbers and letters of a fixed to make it more difficult to crack. length. Hashing algorithms are • Passwords should always be designed to be difficult to crack and stored in strong password hashing difficult to reverse engineer. All algorithms and they should be hashing algorithms are deterministic, salted. which means if you input the same • Longer passwords help value, you'll always get the same significantly because the longer the hashed output. However, they are also password, the more computational designed so that changing a single time and energy it takes to crack a character the resulting hash will look password. completely different. This element of • Weak passwords are easily their design makes them considerably discovered by hackers so should more difficult to reverse engineer, but be completely avoided. A password the only thing standing in an attacker's will be considered weak if it is a way is a large set of data and a word picked out of a dictionary or a powerful computer. common pattern on a keyboard, such as "Qwerty123". These This is largely why data breaches are passwords are risky because you becoming so prevalent and increasing can almost guarantee that a each year. Powerful computers and hacker will already know of that computer components are becoming password and have it listed in a increasingly affordable and as more table. This is true even if a hashed passwords are exposed, password is hashed. hackers get better at reverse- • If your users use common words engineering these passwords. When and common leetspeak quantum computing becomes more substitutions, then organizations mainstream, it will become even easier should assume that the hashed to reverse engineer hashes. form of those passwords have been cracked. It's the desire for an easy to remember password and the illusion of it being unique that drives so many people to choose weak passwords.

6 A strong password policy can help • Adding a ‘salt’ to your password organizations create harder-to-crack hash. A salt is a random string of passwords. There are many different numbers added to a password to policies and recommendations around make it more unique and give it a what makes a strong and safe different hash. password, but here are some common • When possible, implement MFA features of a strong organizational but make sure that if the MFA password policy: includes a password factor, that the password is secure with the • Do not allow users to reuse above items. compromised or exposed passwords. Lastly, password monitoring can help • Require 16+ characters in a organizations determine whether you password. The longer the have a strong password or not. password the difficult and time- Password screening software will scan consuming it is to crack. your password and compare it to • Most security professionals known common passwords, or recommend using a 4-word passwords that have been exposed passphrase because it is easy to previously. If password monitoring remember and long (such as: tools indicate that a password has OceanTogetherHappyFace) been exposed in a previous data • Recommend to your users that breach, is a known password, or they should not use ties to their appears on password blacklists; then personal information in their you should assume that hackers will password. try that password and have potentially • Do not allow users to use context- already cracked the hash for it. specific passwords, such as the company or product name. • Prevent users from selecting common passwords. • Enforce password similarity blocking. Block passwords that are too similar to old passwords- these are very easy for attackers to guess.

6