How Hackers Crack Passwords Actually

What’s in this Blog?

  • How passwords are stored in databases of websites.
  • Methods to crack passwords.

Intro

Passwords are not stored in plain text when you create an account on any website of this era, instead, they are passed through any hashing algorithms and then stored in the database. Many types of hashing algorithms are available, including SHA-1, SHA-256, MD5, MD6, RIPEMD, TIGER, JANGO, and many more. The website will be using any of the hashing algorithms to convert the plain text passwords of their users into a hashed format.

For the sake of this article. Let’s consider that the website is Facebook.

Facebook Sign up page

To create an account on Facebook you need to provide your First name, Surname, Mobile number, or email address, Date of Birth, Gender, and Password. Once you click Sign Up, all this information will be sent to Facebook’s backend database. All this information will be stored as it is, except for the password. The password will be passed through a hashing algorithm and then stored in the database. This means the password that you provide in plaintext will never be stored in the database, but it’s hash. This hashed form of the password appears to be random but it’s not, because hashing algorithm has a specific hash value for every specific input and it remains the same for that input every time.

How passwords are hashed and then stored.
How websites store passwords of user accounts in databases.

Now, suppose that Facebook has a data breach. The hacker has the info of the Facebook users including their Name, age, gender, email address, and password. Though the hacker has all this info he will not be able to log into any specific user account, because the password Is encrypted. If the hacker tries to log in using that hashed password. He will not be able to log in, because he needs to enter the password in plain text. So, what he should do now?

Cracking Passwords

The only possible way to log in to any user account is to convert that hashed password into plain text, but it’s highly impossible, as the hash function is a one-way function so cannot be reversed. That is how hashing algorithms are designed. So, what now? Here the strength of the password shows up. If you are using common passwords like 12345678 then the hacker will easily be able to crack your passwords from the hash string. There are three ways a hacker can crack your password. Let’s have a look at them one by one.

Rainbow Tables

Rainbow tables are lists of common passwords along with their hashes. A hacker will simply try to match the hashed password of the user with the hashes of the passwords present in the rainbow tables. If the hash matches and which will be the case if you will use a simple password like 12345678 the hacker will come to know the password by looking at the corresponding plain text of matched hash value.

But if your password is not that simple then the hacker won’t be able to crack it using rainbow tables. His next approach will be Dictionary Attack.

Dictionary Attack

First of all, let’s see what a dictionary is. A dictionary is a set of lots of passwords. But it’s a bit different from the rainbow tables because the dictionaries which are also called word lists don’t have the hashes along with the passwords in them. You can create your dictionary; numerous tools are available on the internet to do so.

To crack the password using a dictionary attack the hacker first has to convert the passwords in the word list into the hash and then compare it with the hash of the user’s password. This process can be time-consuming considering the fact the passwords in the dictionary are not with their hash already. In addition, it is not guaranteed that the password will be present in the word list if it’s a unique password. This attack can be a success or a failure depending on the quality of the word list you are using.

So, the hacker will try the third way after getting failure from previous methods.

Brute Force Attack

In case of a brute force attack, every combination of numbers, symbols, and alphabet including capital and small are converted into their hash format and then compared with the user’s hash password. It can take forever to crack the password if it’s lengthy and complex using this technique even if the hacker is using some powerful hardware. Although simple passwords can be cracked easily using this method.

Salting

A new technique called salting is also introduced by security analysts to give hackers a tough time. In this technique, a specific combination of alphabets is inserted at specific places in the plain text password of the users before passing it through any hashing algorithm. As a result, the hash value is off (Password + Salt) and not only of the password. Thus, making rainbow tables of no use.

Each company has its salt and it does not make it public. The hacker will only be able to crack that salted hashed password when he will know the salt of that company. It makes the password-cracking process for hackers more complex and lengthier. Because even if the hacker tries to match the correct hash of the password with the one it is to crack, it will not match because the user’s hashed password was having a salt along with the plaintext password in it.

I hope these basic password-cracking techniques make sense to you.

Tags: , , , , , ,

Saif Ur Rehman

Hey, I am an Ethical Hacker and a Cyber Security Expert. In this blog, I have tried to deliver knowledge about how different attacks are performed and how you can protect yourself from being a victim of those attacks.

Leave a Reply