Everyone wants
to know how hackers crack their passwords. In this Post, we will see how
the passwords are really cracked. I will also tell you some techniques,
using which you can also crack the passwords. So here we go.
Passwords are not saved as plain text. Any website on
Internet uses a Hashing Algorithm to encrypt and manage Passwords. There are
many types of Hashing Algorithms like SHA1, MD5,
MD6, SHA256, TIGER and many more. As an example
let's consider a Facebook. In order to login to your Facebook account, you
enter your email and password and click on login. The first time you create a
Facebook account, you are asked to fill in a form like this which contain your
name, email address, password,birth date, gender. once you click on sign up
this data is sent to Facebook's back end Database. In Facebook database your
name, gender, age, email address is saved as it is but what about the password?
As I told you password never be saved as a plain text in a website's database.
So, this password is given as input to Hashing Algorithm and the output given
by this algorithm is the Encrypted form of the password which appears to be
random but it is not. This Hashed password is saved in a Facebook's database
but not the plain text. Now suppose Facebook has a data preach and hackers
managed to gain access to facebook's user info which includes name, gender,
age, email and password.Though hackers of this information, they will not be able to login to any specific user account because the password is encrypted. If the hacker tries to login to any specific user account with the hashed password, he will not be provided access. He only needs to enter the password which is in the plain text form. So what does the hacker do now? There is any possible way to reverse the hashed to plain text form but this is highly impossible because hash is a one way function. Plain text of the hash cannot be obtained from the Hash itself. That's why Hashing Algorithms are designed.
If you are using a common Password like 'text123456' which are used earlier to sign up for facebook. Then the hacker will be easily able to know the plain text form of your password from the Hash string. There is something know as Rainbow Tables, these tables contains the password hashes of numerous commonly used password along with their plain text form. So, the Hacker will be able to do a simple search with the password hash. If the password hash exist in the Rainbow Table that means the password is successfully cracked and we now have the password in a plain text form. Remember, Rainbow Table contain the password hashes of only the passwords which are commonly used. You can try yourself at CrackStation.net but what if the password is not a commonly used password. In that case, Rainbow tables are of no use so there comes dictionary attack and brute-force attack. Both are quite similar.
In Dictionary Attack, you have a word list. A Word list is a huge text file with lots of password. In this attack, the hackers write a code which compare the password hash to be cracked with the password hash of each and every password that exist in the word list file. If any hash is matched then it means the cracking is successful and we now have the plain text of the hashed Password. Now this attack can be target specific as well, which means you can actually create your own word list targeting a specific individual provided that you know some basic details about him and assuming that he use his basic details to frame his password. This attack can be a success or a failure based on the quality of word list that you are using.
In Brute-force Attack, each and every combination of letters, symbols and numbers are converted into their hash forms and then compared with the password hash which is to be cracked. In other words, you are literally taking every possible password that can exist, converted into its hash and check if the hash is matched. So, yes it literally takes forever to crack a strong password using this method.
A technique called Salting is introduced by security analysis to give hackers a hard time in cracking passwords. In this technique, a specific combination of characters are sprinkled at specific position of the plain text password before hashing. Every company has its own Salting Algorithm and they don't make their Salting Algorithm public. So when a salt is used Rainbow tables are of no use even if the password to be cracked is the weak and commonly used password. Dictionary and Brute-force attacks are also not effective to crack Salted Password.
Check other posts:
0 Comment Here:
Post a Comment
Share your Feedback