Thứ Tư, Tháng Hai 12, 2025
spot_img
HomeTechnologyHow to try cracking the password yourself to check password strength

How to try cracking the password yourself to check password strength

The article tested 3 different passwords with an open source password cracking tool to find a method that really works when it comes to password security.

What is password cracking?

When you create an account with an online service, the provider typically encrypts your login information on their servers. This is done using an algorithm to generate a “hash”, a seemingly unique random string of letters and numbers for your password. Of course, it's not truly random, but a very specific string of characters that only your password can generate, but to the layman, it looks like a mess.

Turning a word into a hash is much faster and easier than “decoding” the hash into a word again. So when you set a password, the service you're logging into runs your password through a hash and then stores the results on their servers.

If this password file is leaked, hackers will try to find out its contents by cracking the password. Since password encryption is faster than decryption, hackers will set up a system that takes potential passwords as input, encrypts them using the same method as the server, and then compares the results with a password database. password.

If the potential password's hash matches any entry in the database, the hacker knows that every access attempt matches the attempted potential password.

How to crack your own password using HashCat

Try cracking some of the passwords the article has created to see how easy it is. To do this, the example will use Hashcat, a free and open source password cracking tool that anyone can use.

For these tests, the example will be cracking the following passwords:

  • 123456: A classic password and a cybersecurity nightmare, 123456 is the most commonly used password in the world. NordPass calculated that 3 million accounts used 123456 as their password, of which 1.2 million protected corporate-level accounts.
  • Susan48!: A password that follows the patterns that most users would use to create secure passwords. This generally meets the criteria for basic password protection, but as we will explore later, it has some important weaknesses that can be exploited.
  • t9^kJ$2q9a: A password generated using Bitwarden's tool. It is set up to generate passwords that are 10 characters long using upper and lower case letters, symbols, and numbers.
Xem thêm  What is VRAM? - QuanTriMang.com

Now let's encrypt the password with MD5. This is how the passwords will appear if they are in a saved password file:

  • 123456: e10adc3949ba59abbe56e057f20f883e
  • Susan48!: df1ce7227606805745ee6cbc644ecbe4
  • t9^kJ$2q9a: 450e4e0ad3ed8766cb2ba83081c0a625

Now, it's time to crack them.

Perform a simple jailbreak using the Dictionary Attack method

To start, let's perform the Dictionary Attack method, one of the most popular password attack methods. This is a simple attack in which the hacker takes a list of potential passwords, asks Hashcat to convert them to MD5, and sees if any password matches the 3 entries above. For this test, the example used the file “rockyou.txt” as its dictionary, which was one of the biggest password leaks in history.

To start jailbreaking, go to the Hashcat folder, right-click on an empty space and click Open in Terminal. Now that Terminal is open and set to the Hashcat directory, call the Hashcat application with the following command:

.\hashcat -m 0 -a 0 passwordfile.txt rockyou.txt -o results.txt

Here's what the command does:

  • .\hashcat call Hashcat.
  • -m 0: Determines the type of encryption to use. This case will use MD5, which is listed as 0 on the Hashcat help documentation.
  • -a 0: Determine the attack you want to perform. The Hashcat help documentation lists Dictionary Attack as zero, so we call it here.
  • passwordfile.txt rockyou.txt: The first file includes the 3 encrypted passwords we set up earlier. The second file is the entire rockyou password database.
  • -o results.txt: This variable determines where we place the results. In the command, it puts the cracked passwords into a TXT file named “results”.

Even though rockyou is huge in size, Hashcat processed all of them in 6 seconds. In the resulting file, Hashcat said it had cracked password 123456, but the Susan and Bitwarden passwords had not been cracked yet. That's because 123456 was used by someone else in the rockyou.txt file, but no one else used the Susan or Bitwarden passwords, meaning they were secure enough to survive this attack.

Xem thêm  Some ways to fix Start Menu error on Windows 10 stops working

Perform a more complex jailbreak using cloaked Brute Force attacks

Perform a Brute Force attack using Hashcat
Perform a Brute Force attack using Hashcat

Dictionary Attacks are effective when someone uses the same password as one found in a large password list. They are quick and easy to do, but they cannot crack passwords that are not in the dictionary. Therefore, if you really want to test your password, you need to use Brute Force attacks.

If Dictionary Attacks are just taking a pre-set list and converting them one by one, then Brute Force attacks do the same but with every conceivable combination. They are harder to do and take more time, but they will eventually crack any password. As we will soon see, that ability can sometimes take a lot of time.

Here is the command used to perform a “real” Brute Force attack:

.\hashcat -m 0 -a 3 target.txt --increment ?a?a?a?a?a?a?a?a?a?a -o output.txt

Here's what the command does:

  • -a 3: This variable defines the attack we want to perform. The Hashcat help documentation lists Brute Force attacks as number 3, so it's called here.
  • target.txt: File contains the encrypted password we want to crack.
  • –increment: This command tells Hashcat to try all passwords that are one character long, then two, then three, etc. until it finds a result.
  • ?a?a?a?a?a?a?a?a?a?a: This is called a “mask”. Mask allows us to tell Hashcat which character is used in which position. Each question mark designates a character position in the password, and the letter specifies what we try in each position. The letter “a” represents upper and lower case characters, numbers and symbols, so this mask says “Try everything on each position”. This is a terrible mask, but we'll put it to good use later.
  • -o output.txt: This variable determines where we place the results. The example command puts the cracked passwords into a TXT file named “output”.

Even with this terrible mask, password 123456 was still cracked within 15 seconds. Despite being the most common password, it is one of the weakest.

Password “Susan48!” much better – the computer said it would take 4 days to jailbreak. However, there's a problem. Remember when the article said that Susan's password had some serious flaws? The biggest mistake is that passwords are constructed in a predictable way.

Xem thêm  Does the iPhone 14 case fit the iPhone 15?

When creating a password, we often place specific components in specific locations. You can imagine password creator Susan tried using “susan” at first but was asked to add capital letters and numbers. To make it easier to remember, they capitalized the first letter and added numbers at the end. Then perhaps a login service requested a symbol, so the password setter appended it to the end.

As such, we can use masks to tell Hashcat to only try specific characters at specific locations to exploit how easy it is for people to guess when creating passwords. In this mask, “?u” will use only uppercase letters at that position, “?l” will use only lowercase letters, and “?a” represents any character:

.\hashcat -m 0 -a 3 -1 ?a target.txt ?u?l?l?l?l?a?a?a -o output.txt

With this mask, Hashcat breaks passwords in 3 minutes and 10 seconds, much faster than 4 days.

The Bitwarden password is 10 characters long and does not use any predictable pattern, so a Brute Force attack without any mask must be performed to crack it. Unfortunately, when asking Hashcat to do that, it threw an error, saying that the number of possible combinations exceeded the integer limit. IT security experts say Bitwarden passwords take 3 years to decrypt, so that should be enough.

How to keep your account safe from password cracking

The main factors that prevent the Bitwarden password cracking article are its length (10 characters) and unpredictability. Therefore, when creating a password, try to make it as long as possible and distribute symbols, numbers and capital letters evenly throughout the password. This prevents hackers from using masks to predict the location of each element and makes them much harder to crack.

You may already know the old password maxims like “use an array of characters” and “make it as long as possible”. Hopefully you know why people recommend these helpful tips – they're the main difference between a password that's easy to crack and a password that's secure.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments