Password Hashing and Cracking

Trial and error attacks on passwords take place in two ways:

  • On-line trial-and-error attempts against the site itself
  • Off-line attempts against a hashed password file

We construct strong passwords when we try to resist both types of attack. One aspect of this is to avoid well-known passwords, especially those stolen by hackers. There are several sources for these lists. OWASP seems to encourage a collection of lists stored on Github.

Have I Been Pwned

The site Have I Been keeps a list of passwords disclosed from hacked databases and published data dumps. The author, Troy Hunt, has been working on, and writing about, cybersecurity for at least a decade. Hunt’s site contains over 600 million passwords, and the site is set up so that password checking actually takes place on your browser – the server never sees the password you’re asking about. The technique is rather clever, and described on Hunt’s web site.

Let’s use Have I Been Pwned to check the strength of single-word passwords.

  1. Make a list of 5 words, some short, some longer, but all less than 8 characters. Type them in and indicate which have or have not been pwned.
  2. Pick the longest of your pwned words. Add a digit to it and see if that has been pwned.
  3. Using the longest of your pwned words, add a special character or punctuation mark to the end, and see if that has been pwned.
  4. Find a word that is longer than 10 letters that has already been pwned.
  5. Make a list of 5 words containing 10, 11, or 12 letters. Type them in and indicate which have or have not been pwned.

Numbers as Passwords

Now we’ll use Have I Been Pwned to look at numerical passwords.

  1. Type a few randomly-chosen digits into Have I Been Pwned and see if it’s a pwned password. Don’t type repeated digits or sequences. Without erasing the previous digits, type in another digit and if this password was pwned. If so, continue typing in additional digits and checking until the number is not pwned. How many digits did you need to type?

Pairs of Short Words

This one is more interesting if you find which of the following yield pwned words.

  1. Find a pair of short words, each 3-5 letters long, that has been pwned.
  2. Add a digit after the two words and see if it has been pwned.
  3. Put a digit between the two words and see if it has been pwned.

Calculating Hashes

Many desktop systems have a command line function (or perhaps even an app) that will calculate hash values for files and text strings. The “MD5” hash is sufficient for our purposes. It isn’t a particularly strong hash (i.e. not resistant to attacks) but it’s widely available, fast, and yields a small value to cut and paste.

On Unix/Linux/Mac systems, there is probably an “md5” shell command. To hash the password “dogscats” you type this command:

md5 -s “dogscats”

The quotes prevent the shell from trying to treat the password as a file name. If you need to insert special characters in the password, use “\” as the escape character.

You may also use your web search engine to find an online site that calculates hashes. The site tools4noobs has one.

More Password Testing

The web site has built a database of almost 1.5 billion words that could be passwords. The site stores all those words in hashed formats and will look up hashed passwords against them. This gives you a different set of potential passwords to check against.