Mediaboss Marketing

Passwords are the standard authentication factor across sites and systems, but how we deal with passwords has changed over time. Today, password hashing is a critical security measure organizations should leverage to protect passwords. Because many organizations leverage password hashing to protect passwords, cracking dictionaries have evolved to crack those password hashes.

Here is a quick overview.

Cracking dictionaries are large lists of data, often cleartext strings, that can be used to crack passwords. These lists can include words in the form of dictionary words, common passwords, iterations of common passwords, and exposed passwords. They can also contain passwords that used to be hashed but have been subsequently cracked because they were stored in a weak password hashing algorithm.

As data breaches and password exposure increases year-over-year, more-and-more dictionaries of reverse-engineered hashed passwords are emerging. A password-cracking dictionary will often end up on the dark web for cybercriminals to exploit for various types of account takeover, paving the way for even more successful data breaches. They can also be used for cybersecurity research on user password habits.

There are plenty of methods a black hat hacker can choose to access user credentials. For example, they can use a form of social engineering to coax someone to hand over their credentials, like in a sophisticated phishing attack. But the easiest way is to use a cracking dictionary to gain access to an account. It is an easier and faster attack vector for account takeover.

Passwords have been a common feature of the internet landscape since its inception, and until recently, they were the only thing protecting your data. Cybersecurity experts recommend multi-factor account protection with things like biometrics, authenticators, and two-factor authentication, but many people still do not turn on MFA if it is optional because it takes longer to access their account. MFA is still not a standard for many websites and many internal systems. Passwords are still the standard authentication factor because no other method has proven to be easier yet, while also being more secure.

How we deal with passwords has also changed over time. Ten or fifteen years ago, it wouldnt have been unusual to walk past a colleagues computer and see a post-it note with their password scribbled on it stuck to their screen. Such a huge security mishap may seem shocking today, but it was common in a time when data breaches were rare and cybersecurity awareness was lacking. In the digital age, as major data breaches are happening almost daily, cybercriminals can get access to more passwords and are able to crack password hashes faster as technology advances.

This is where cracking dictionaries can offer a benefit. Bad actors can use entire databases of pre-cracked passwords, common passwords, leaked passwords, and standard dictionary words to try and hack into an account, without the time and complexity of a social engineering attack. This type of attack is quick so the victim often wont know of the unauthorized access until its already too late.

Over the years cybercriminals have developed a good understanding of what a typical password looks like, and they conduct their attacks based on this information. With a cracking dictionary, attackers apply the list of cracked passwords against a system and try to gain access.

But these dictionaries can also be useful for standard brute force attacks and password spraying attacks.

However, its not just hackers who use cracking dictionaries, legitimate security professionals do as well. Ethical hackers can also use this data to break hashing algorithms and conduct controlled data breaches to demonstrate how insecure a system is. This often happens in a professional setting, but there are also hash cracking websites available online where you can put in a hashed version of a password, and it will crack it, telling you the password.

Putting this hash into the website CrackStation, it returned the password almost instantly.

These websites use huge dictionaries of hashed data, some of this data is hashed common passwords, some is dictionary words, some is entire Wikipedia articles, and so on.

According to Forbes, just the first half of 2019 saw 3,800 publicly disclosed data breaches, amounting to 4.1 billion exposed records. What makes these figures even more alarming is that the number of breaches in 2019 increased by 54% compared to the previous year. The problem is, with each additional breach, more valuable data goes into the hands of these bad actors.

When a large company has their login credentials stolen, cybercriminals now have a huge set of data that provides insights, such as which passwords are the most popular, for example, which sports team names become common passwords in that area, and so on. These passwords get added to dictionaries. This data is still extremely valuable even when the password has been hashed.

Password hashing has long been considered a secure way of storing passwords. Hashing involves taking the native password, for example, Yellow3, and converting it into a string of numbers and letters of a fixed length. Hashing algorithms are designed to be difficult to crack and difficult to reverse engineer. All hashing algorithms are deterministic, which means if you input the same value, youll always get the same hashed output. However, they are also designed so that changing a single character the resulting hash will look completely different. This element of their design makes them considerably more difficult to reverse engineer, but the only thing standing in an attackers way is a large set of data and a powerful computer.

This is largely why data breaches are becoming so prevalent and increasing each year. Powerful computers and computer components are becoming increasingly affordable and as more hashed passwords are exposed, hackers get better at reverse-engineering these passwords. When quantum computing becomes more mainstream, it will become even easier to reverse engineer hashes.

One way to protect your password is to make it more difficult to crack.

A strong password policy can help organizations create harder-to-crack passwords. There are many different policies and recommendations around what makes a strong and safe password, but here are some common features of a strong organizational password policy:

Lastly, password monitoring can help organizations determine whether you have a strong password or not. Password screening software will scan your password and compare it to known common passwords, or passwords that have been exposed previously. If password monitoring tools indicate that a password has been exposed in a previous data breach, is a known password, or appears on password blacklists; then you should assume that hackers will try that password, and have potentially already cracked the hash for it.

The post Cracking Dictionaries: What You Need to Know appeared first on Enzoic.

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/password-cracking-dictionaries/

Go here to read the rest:
Cracking Dictionaries: What You Need to Know - Security Boulevard