Common password cracking techniques
Your password is kept on a website’s server as an encrypted string of characters called a hash. Hackers can’t reverse hashing algorithms and uncover your password. But there are many password cracking techniques they can use to get what they want. They can even get you to type your password into an unauthorized, dangerous website.
Certain types of password attacks and other ways to crack passwords and get around encryption are becoming increasingly sophisticated and diversified. Here’s a closer look at some of the top password cracking methods and how you can protect against them.
Passwords should be hard to crack but easy to remember. Unfortunately, people underestimate the risks and lean too heavily toward making their passwords memorable. Often it’s easy to access information simply by guessing that the password is, in fact, “password.”
Other common passwords include birthdays and hobbies, which make your password easily guessable. When setting your passwords, don’t use terms that can be easily guessed or found online. Instead, use long and hard-to-guess passwords or passphrases that combine multiple random words.
How are you supposed to create a strong password you won’t forget? Memorizing your password or writing it down can be risky. That’s why you should use a password manager, which is a much more secure way to store your passwords.
Password managers are a secure way to store your passwords.
Brute force attack
Brute force methods try every conceivable combination of characters. Brute force password crackers convert millions of possible passwords into hashes and compare those hashes to the one associated with your password.
This method takes a very long time — the more complex the password, the longer it takes to crack. A sufficiently complex password would take a powerful computer hundreds or even thousands of years to crack. While some of these attacks use the power of botnets, the right password can still evade a brute force attack.
Brute force hacking can also leverage credential recycling, which is the use of past combinations of cracked usernames and passwords. Similarly, reverse brute force attacks start from a common password (like “password”) and sniff out usernames instead.
As the range of methods for cracking passwords has become more sophisticated, using data breach monitoring software has become all the more important. AVG BreachGuard will alert you when one of your passwords shows up in a breach, and it’ll give you advice on how to strengthen your password security.
Dictionary attacks involve a huge table of semi-common passwords and their hashes. For example, a dictionary attack tool might compare an encrypted hash found on Facebook’s server with one in its database. And it may very well find a match.
These example passwords contain phrases or words from the dictionary along with slight variations. That way, a password which adds or drops a random character or number in the middle of a password might still be uncovered.
If you’re wondering how a list with hundreds of millions of possible passwords can exist, the answer is that a text file containing that much text still takes up only a few gigabytes and is easily downloadable.
The dictionary attack list also works as a database for previously cracked passwords, putting at greater risk those who reuse their passwords multiple times. Dictionary attacks highlight the importance of always using unique passwords.
Social engineering involves manipulating someone into handing over sensitive information. Hackers know exactly what kinds of emails people tend to open thoughtlessly. If you get an email warning you about an imminent security problem with your account, don’t click on a link and enter your password or any other personal details.
Other tactics include using fraudulent email addresses like admin [at] paypa|.com. You’d be surprised by how many people don’t notice the difference between a lowercase L and the | symbol.
No matter how trustworthy the address looks, never click a link in an email that you haven’t generated yourself (log in confirmation emails) or wasn’t sent by someone you know. Phishing attacks take many forms, but they all hope you’ll fail to notice something suspicious.
Rainbow table attack
Rainbow table attacks remove the need to store hundreds of millions of password-hash combinations. Rainbow tables remember parts of hashes before trying to locate the whole string, cutting down on volume and making any password-hash combination much easier to find.
Whereas brute force attacks take a lot of time and dictionary attacks take up a lot of space (because massive files have to be sorted through), rainbow table attacks make certain tradeoffs and reduce the amount of time and space needed. This has proven very effective, especially with the popular RainbowCrack tool.
Mask attacks assume that a password takes a common form — like using one uppercase letter at the beginning followed by several lowercase letters — rather than running through every possible iteration. This lets mask attacks crack passwords in minutes as opposed to the years that brute force hacking might take.
Spidering involves reviewing a company’s internal or external communications to find phrases or jargon employees might use as their passwords. As with individual passwords, company passwords often reflect the daily activities of those using them. The more training documents and promo materials a company has, the more likely their passwords can get cracked.
Offline cracking happens when a hacker gets a set of hashed passwords from a compromised server and then matches a plaintext password to the hash offline. The host website won’t know anything is happening, and the hacker has plenty of time to crack the password.
Password hacking tools
Network analyzers and packet-capturing tools are two types of password cracking tools that monitor and intercept data packets. These tools require a network connection, but once that’s established, the bits of data moving in and out can be converted into plaintext. Fortunately, these same tools can help a company discover security breaches as well.
Many of the most popular password crackers use a combination of the above techniques. Their ease of use combined with the growing consumer demand for high-powered PCs means that more people are getting into hacking.
Protect yourself against password cracking with AVG BreachGuard, which monitors the latest data breaches and alerts you immediately if one of your passwords has leaked. That way, you can quickly change your passwords before anyone can use them to compromise your accounts.
Malware is another password cracking tool. In particular, keyloggers are a type of malware that secretly record all your keystrokes and send them back to whoever put the keylogger on your system.
Make sure to use the best antivirus software you can find to defend against keyloggers and other malicious software. Installing a strong anti-malware tool will keep password hacking software off your device.
Brutus is a brute-force password cracker that uses an exhaustive, dictionary-based attack method that allows for infinite guesses. Along with its popularity with cybercriminals, Brutus also has legitimate uses, such as when someone doesn’t know their own router’s password.
RainbowCrack helps hackers crack passwords by generating rainbow tables — those sets of precalculated hashes that speed up the password cracking process. Thankfully, the use of rainbow tables can be thwarted by a common technique known as salting, a process whereby host websites insert random strings of text into plaintext passwords before hashing them in their database.
Cain and Abel
Cain and Abel extracts all passwords found on a PC. Unless you do an exhaustive wipe of all your system files, a Windows 10 password cracker like Cain and Abel can dig out passwords for email addresses, operating systems, Wi-Fi connections, and more.
Password-protecting Word and Excel files can help you lock away particularly sensitive information.
Medusa works by checking passwords against a wordlist — and it can even be used to extract passwords from other machines on the same Wi-Fi network. Medusa requires a little technical knowhow to operate, but instructions for how to use it can easily be found.
The proliferation of tools like the Medusa password cracker means it’s more essential than ever to use long, unique, and hard-to-guess passwords or passphrases.
Is password cracking illegal?
Cracking passwords on an online service is illegal, unless you have consent to test a system’s security. Even if it’s your own password, hacking into a service like Facebook constitutes breaking in where you aren’t allowed. Even if your intentions are good, your legal position is precarious.
People both in the US and abroad have been arrested for offering password-cracking services. In 2014, operators of one such service were found to have broken into email accounts and held them ransom, demanding payment to restore access.
How can I stop people hacking my passwords?
Password privacy can seem like a daunting task. But you’re the one in control — the most commonly cracked passwords ignore the most basic password-security practices, like not making your password “password” or using a simple string of numbers like “123456.”
Here’s how you can stop people hacking your passwords.
Create a long, unique, and hard-to-guess password
Include a variety of uppercase and lowercase letters as well as numbers and special characters.
Consider using a passphrase made of random and unrelated words.
Mix up the distribution of special characters — don’t use just one uppercase letter at the beginning of your password.
Make the password a minimum of 16 characters.
Use hard-to-guess passphrases composed of random words to keep your accounts secure.
Even the most sophisticated methods running on the most powerful machines would take years to crack a password that checks all those boxes. A good password manager can even generate strong passwords for you, removing the need to come up with them in the first place.
Keep an antivirus running
Robust anti-malware software will spot a keylogger before it gets the chance to record any sensitive data. AVG AntiVirus FREE will automatically detect and block any malware heading your way, while scanning and removing malware already present on your device.
Turn on two-factor authentication
Having your phone always with you can be to your advantage. Two-factor authentication (2FA) adds another layer of security to your logins — frequently done through a mobile app or SMS service. While some hackers have spoofed 2FA text messages, authentication apps are a highly secure method of account verification and protection.
Use a VPN
A VPN (virtual private network) encrypts all your internet traffic, both incoming and outgoing. Password crackers sometimes catch bits of data in transit, and this is where the benefits of VPNs can really come in handy.
Protect your passwords and data with AVG BreachGuard
AVG BreachGuard does more than just scan the latest password dumps to see if yours was leaked. It also opts you out of data collection by third parties, reducing data brokers’ ability to store your data on their servers. Keep your passwords safe with AVG BreachGuard.