Business Clinic: Cracking a password

Expert advice on the business of running a garment decoration company

Q&A

What are password crackers and how can I protect my business from them?

Cracking a password may seem like a next to impossible task, but you’d be surprised how easy it can be. There are dozens of password cracking programs on the market, each with their own special recipe, but they all basically do one of two things: create variations from a dictionary of known common passwords or attempt every possible combination using a method called a brute force attack.

Professional password crackers aren’t looking to log in to your PayPal account. That process is slow to begin with, and most services will lock out repeated login attempts anyway. Rather, the pros work against password files that they download from breached servers. These files are usually easy to access from the root level of most server operating systems or are maintained by individual applications. These files may be protected with weak encryption algorithms, which are not much of an impediment to the determined hacker.

Once criminals obtain a password list, they can take as many shots as they like to break it. Their goal generally isn’t to crack an individual password, but to run tests against the entire file, knocking down their targets one by one. Modern graphics hardware makes this incredibly fast. For example, some commercial products can test trillions of passwords per second on a standard desktop computer using a high-end graphics processor.

Dictionary crack

This technique uses lists of known passwords, word list substitution and pattern checking to find commonly used passwords, or those that are discoverable with a bit of personal information. It isn’t difficult to find lists of compromised passwords. Sites like PasswordRandom.com publish them, and many large lists are available on the dark web at little cost. A criminal can probably unlock 10% to 20% of a password file using just the 10,000 most common passwords. In fact, it has been estimated that about 75% of online adults have used one or more of the 500 most popular passwords.
After decrypting the password file, a dictionary attack uses text strings and variations thereof to test different combinations. If a user named Robert has the password “Robert123,” a dictionary attack will figure that out in seconds. The software simply cycles through every possible combination to identify the ones that work.

If a little information is known about people in the database, the job is even easier. Social media is an attacker’s dream.

Brute force crack

This is just what it sounds like: a technique to reveal those stubborn passwords that can’t be unlocked by a dictionary. Today’s multi-core processors and graphics processing units have made brute force tactics more practical than they used to be. Machines that can be purchased for less than US$1,000 are capable of testing billions of passwords per second. Short passwords are easiest to guess, so attackers typically use brute force tactics to unscramble the five- and six-character passwords that didn’t yield to the dictionary approach, a process that might only take a few hours. For longer passwords, brute force and dictionary techniques may be combined to narrow the realm of possible combinations.

Password management

The biggest problem with password protection is that many people don’t use strong passwords. The laws of mathematics dictate that longer passwords are harder to break than short ones, and passwords that contain random combinations of characters are more secure than those that conform to a known pattern. A 13-digit password that mixes alphanumeric characters and punctuation systems is considered impractical to break with today’s technology.

Unfortunately, few people can remember a random 13-digit string of characters, much less multiple strings for different logins. Equally unfortunate – from a security perspective – is that computers are getting faster and cracking algorithms are getting better.

This is where password management software is valuable. Password managers store passwords of any length and can regularly generate new passwords without the user having to bother to remember them. They can also be protected by two-factor authentication, which is considered to be almost unbreakable in any context.