Password Cracking Defined
Password cracking (also called password hacking) is an attack vector that involves hackers attempting to crack or determine a password for unauthorized authentication. Password hacking uses a variety of programmatic techniques, manual steps, and automation using specialized tools to compromise a password. These password cracking tools are referred to as ‘password crackers’. Increasingly, these tools are leveraging AI to improve password cracking speed and efficiency. Passwords can also be stolen via other tactics, such as by memory-scraping malware, shoulder surfing, third party breaches, and tools like Redline password stealer.
A password can refer to any string of characters or secret used to authenticate an authorized user to a resource. Passwords are typically paired with a username or other mechanism to provide proof of identity. This combination is referred to as credentials.
Compromised passwords are involved in most breaches today. In fact, Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches leveraged stolen credentials. And, according to the IBM X-Force Threat Intelligence Index 2024, there was a 71% increase year over year in the volume of attacks using valid credentials. This reflects the trend of attackers shifting to identity-based attacks over traditional vulnerability exploits as the identity attack surface has multiplied and grown by leaps in complexity.
When a compromised account has privileges, the threat actor can easily circumvent other security controls, perform lateral movement, and compromise other passwords. This is why highly privileged credentials are the most important of all credentials to protect. With that said, almost any identity today will have some path to privilege via various SaaS accounts, blurring the definition of what a privileged identity means today.
This in-depth blog highlights password vulnerabilities and risks that give attackers an edge, and provides an overview of password cracking motives, techniques, tools, and defenses.
Passwords: A Brief History Lesson
Humans have relied on passwords since the early days of civilization. A “Pass Word” was a word that allowed the user to pass a security checkpoint and dates back to the Roman Empire. Unlike today, the password would have been the same for everyone. It wasn’t a proof of identity, but tantamount to a role-based access control. In other words, it represented a ‘claim’ you were authorized for access to the resource, but could not validate your actual identity. The problem is that this method relies entirely on those who know the password to keep it a secret.
Passwords have long been recognized as the Achilles’ heel of identity security, and the death of the password and the emergence of a passwordless future has been predicted for decades. Yet, the number of enterprise identities is on a vertiginous climb, primarily driven by the explosion of machine identities. A Venafi study estimated the number of machine identities at 250,000 per enterprise, following a 41% year-over-year increase. Various other studies in recent years have estimated machine identities outnumber human ones by a ratio of several dozen to 1.
While passwordless approaches are gaining momentum, they remain niche for modern systems, have difficulty being adapted to legacy technology, and often possess password characteristics themselves. However, one welcome shift is that, today, a password is less likely to be used as the sole security mechanism due to technology like biometrics and multifactor authentication (MFA).
Understanding Password Hacking Psychology
Valid credentials (username and password) enable a typical user to authenticate against a resource. If a username is known to threat actors, obtaining the account’s password becomes a hacking exercise.
Often, a threat actor will first target a systems administrator since their credentials may have privileges to directly access sensitive data and systems. Such privileged credentials enable the cybercriminal to move laterally, while arousing little or no suspicion, and even compromise other accounts to maintain persistence. Once a threat actor has compromised credentials, everything privileged to that account is now fair game for the attacker.
Credentials compromised for the most sensitive accounts (domain, database administrator, etc.) can be a “game over” event for some companies. Those accounts, and their credentials, are a prime attack vector for privilege escalation attacks.
Attackers Have the Advantage
Attackers typically hold at least two advantages over defenders:
1. Time on their hands, as they often take a scatter-gun approach to gaining access versus an all-at-once attack that may trip multiple security alarms.
2. Automated password cracking toolsets, increasingly powered by machine learning (M/L) and AI, that will autonomously run the attack using techniques to avoid detection.
Password crackers can try passwords at a slow, measured pace to avoid triggering account lockouts on individual accounts. If a password cracker only tries one password every 10 minutes per account, 100,000 passwords will take a long time. Sensibly, the cyberattacker will try each password against every account they are aware of in potentially a random order (spray attack). This approach is effective because few systems track password attempts across accounts. Even when Security Information and Event Monitoring (SIEM) or User and Entity Behavioral Analysis (UEBA) systems are active, there are limited defensive actions. You can’t lock out every account. Blocking the source IP address will result in a new IP taking up the attack, if it hasn't already distributed across 100s, or even 1000s, of IP addresses.
The optimal defense against this kind of attack is simply to not use a password on the list. Frequent password changes trigger our laziness, so “password” becomes “p@ssw0rd” and “Password!” Every password cracker is aware of these poor password practices. Replacing letters with numbers and symbols is also a predictable practice. For example, 3 for E, 4 for A and @ for a. Password cracking tools prepare for these common variations.
Attackers seek to learn basic information about password complexity, such as minimum and maximum password length, as well as password complexity. For example, does the password have upper-case and lower-case letters, numbers, symbols, or a combination? Attackers are also interested in learning about restrictions on the passwords. These parameters could be:
Including an upper-case letter
Not starting with a number or symbol
Needing a minimum number of a particular character type or language
By restricting the repetition of characters, these password generation controls reduce the number of combinations the attacker must consider, and thus, undermine a password’s effectiveness. Password hacking tools have options to define these restrictions to expedite the attack process.
For individual users and personal accounts, it’s unlikely this kind of attack is successful. Attacks on a single account are likely to trigger a lock-out. A brute-force attack at a low velocity could literally take forever to find the right login combination, even for relatively short passwords.
Password hacking tools are ideal for automated password guessing of multiple accounts, but equally adept at trawling through data looking for common themes, phrases, and information.
Common Password Attack Methods
In this section, we will look at common password cracking techniques. Some of these techniques may overlap in tools and methodologies. Attackers often blend multiple, complimentary tactics to improve their chances of success.
Password Guessing Attacks
One of the most popular password attack techniques is simply guessing the password.
Most of today’s systems take mercy on humans as we have countless passwords to remember. The systems permit us to make some mistakes, without locking us out of our account. When lockouts do occur, they generally last less than 30 minutes.
1. Random Guesses
Usernames are the portion of credentials that do not change, and are also highly predictable, regularly taking the form of first initial plus surname. Usernames are commonly an email address, something widely communicated. An attacker now has half the details needed to log into many of your systems. All that’s missing is the password.
A random password guess rarely succeeds unless it’s a common password or based on a dictionary word. Knowing information about the target identity enhances the likelihood of a successful guess by a threat actor. This information is gathered from social media, direct interaction, deceptive conversation, or even data aggregated from prior breaches.
The most common variants for passwords susceptible to guessing include these common schemas:
The word “password” or basic derivations like “p@ssw0rd”
Derivations of the account owner’s username, including initials. This may include subtle variations, such as numbers and special characters.
Reformatted or explicit birthdays for the user or their relatives, most commonly, offspring or other special dates
Memorable places or events
Relatives’ names and derivations with numbers or special characters, when presented together
Pets, colors, foods, or other important items to the individual
While automated password cracking tools are not necessary for password guessing attacks, they will improve the success rate.
Password guessing attacks tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts. When account holders reuse passwords across multiple resources with poor password hygiene practices, the risks of password guessing and lateral movement dramatically increase.
2. Dictionary Attacks
Dictionary attacks are an automated technique utilizing a password list against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use lists of common single words, like “baseball,” to crack a password, hack an account, and launch the nefarious mission of the threat actor.
If the threat actor knows the targeted account's password length and complexity requirements, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements.
An effective dictionary attack tool lets a threat actor:
Set complexity requirements for length, character requirements, and character set
Manually add words and combinations of words/names customized for the target
Target common misspellings of frequently used words that may have symbols replaced or added
Operate in multiple languages
A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary attack.
The most common method to mitigate the threat of a dictionary attack is account lockout attempts. After “n” times of wrong attempts, a user’s account is automatically locked for a period of time and, after multiple lockouts, requires human intervention. The account must be manually unlocked by an authority, like the help desk or via an automated password reset solution. However, the lockout setting is sometimes disabled. Thus, if logon failures aren't monitored in event logs, a dictionary attack is an effective attack vector for a threat actor.
3. Brute Force
Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the fastest modern systems, with a password of eight characters or more.
If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.
With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to perform attacks is determined by the time it takes to generate all possible password permutations. Then, the response time of the target system is factored in based on serial or multithreaded requests.
Brute force password attacks tend to be the least efficient method for hacking a password. Thus, threat actors use them as a last resort.
4. Credential Stuffing
Credential stuffing is an automated hacking technique that utilizes stolen credentials. These credentials are comprised of lists of usernames, email addresses, and passwords. Attackers often purchase “combo lists” on the dark web that provide these prepackaged email/password combos. The technique generally leverages automation to submit login requests directed against an application and to capture successful login attempts for future exploitation.
Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication based on previously discovered credentials using customized tools, typically with passwords obtained from the dark web from previous third-party breaches. This approach can entail launching millions of attempts to determine where a user potentially reused their credentials on another website or application.
Credential stuffing attacks prey on password reuse. These attacks only succeed because so many users reuse the same credential combinations across multiple sites without any form of MFA.
5. Password Spraying
Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations.
Over the past year, password sprays have regained prominence. Midnight Blizzard breached Microsoft by compromising a legacy, non-production test environment with an unsophisticated password spray attack. Cisco and Okta are also warning of large-scale password spray attacks leveraging a range of residential proxies to evade detection.
During a password spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before proceeding to attempt a second password, thus avoiding account lockouts.
The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts.
With poor password hygiene by any one user or on any single account, the threat actor will likely succeed in infiltrating the resource. This technique was recently used in the Microsoft Midnight Blizzard attack.
Post a Comment