Want To Find Out How Password Cracking Works?


I've covered a few security-related products and services recently, and I know from our usage stats that this is a topic which many of you are interested in.

So, to end this brief run of security postings, here's something about a freeware program with a difference.  The difference is that I'm not actually suggesting you download and run it.  Instead, increase your understanding of the program, and others in the same genre, by reading an excellent article.  Let me explain.

Have you ever wondered how password cracking works?  And why it causes so much of a furore when a web site is discovered to have had its password file hacked into and stolen?  If so, then here's how it work.

When you choose a password to use on a web site, the site needs to store that password in a database so that it can recognise you when you subsequently log in.  Although some sites do simply store the password itself, this is clearly a security risk.  Therefore, sites tend to store a hash instead.  A hash is the result of putting the password through a special mathematical formula which only works in one direction.  For example, put "TechSupportAlert" through the MD5 hash formula and it comes out as b7c1ecff69702b37278e9badcb386e30.

The clever bit is that hashing only works in one direction.  There's no way to start with that hash and work out what password it corresponds to.  So when you log into the web site, and type "TechSupportAlert" as your password, the site hashes it again, and checks whether the hashed version of what you just typed matches the hash in the database.  If so, you are safe to enter.

So how does password cracking work?  And why do experts advise you to never choose a password that appears in a dictionary?

Well, imagine that I hack into a website and steal its database of usernames and hashed passwords.  And then imagine that I search that database of hashes for b7c1ecff69702b37278e9badcb386e30.  If I find a match, then I know that this particular user has chosen TechSupportAlert as their password.

And so to the article that explains it all in more detail, and is a diary of one person's attempt to try cracking some passwords.  You'll find it at http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/1/.  Once you've read it, you'll realise why choosing a strong, long, non-dictionary password makes sense.  Especially on important web sites such as online banks and PayPal.  If you don't, you'll now understand the risks much more clearly.




Please rate this article: 

Your rating: None
Average: 4.3 (23 votes)


I do not completely follow you and you appear to have made a mistake with your assertion that: 'put "TechSupportAlert" through the MD5 hash formula and it comes out as b7c1ecff69702b37278e9badcb386e30.'
Using the freeware IgorWare Hasher program or the http://www.adamek.biz/md5-generator.php webpage, it is apparent that "TechSupportAlert" has MD5-value of 1f7d7254b28b1ada3a47aaba7c8335f1 (or c7a1471461abe6d07f05b200396a8619 if the quote marks are included).

Can anyone answer: Does a site's hashing the user-name as well as the password improve security? Is it possible and feasible to do so?

Thanks. Nice article.

No, it's not generally feasible to hash the username as well. Sites need to know the "real" username because it is a key to not just the password, but also to the rest of the data record associated with that account. For example, if I wanted to know your email address, I (as a moderator of this site) could go to your record in the database and probably find it. But if your username was stored as a hash, how could I find your record?

This is an amazing - and scary - article. I thought I had a handle on how to create safe passwords, but the variations this cracking process easily applies shows me I'm not any safer than the majority of otherwise uninformed users. Everything changes today.

Thanks Rob for pointing us to that interesting must-read article.

Main conclusion: long = strong

>> So the lesson also is, should you check passwords for strength before applying them,
>> preferably opt for "strong" at least.
I would say: opting for "long" is better.
Since you don't know how a site determines a password is "medium" or "strong".
But as the article reveals: long IS strong

>> https://www.passwordsavvy.org/
This makes you feel safer while you aren't.
As the article reveals too: replacing 'e' by '3' or 'o' by '0' doesn't make your password stronger at all.

If you WANT to use names you will remember, try this site
It will help you scramble them yet keep theM&Read4ble

Just last week, one of my Yahoo mail addresses got hacked from Russia; I did use a password that was deemed of "medium" strength on MS test site, but it was not good enough. So the lesson also is, should you check passwords for strength before applying them, preferably opt for "strong" at least.