It seems like almost weekly we are seeing headline news stories of a new company falling victim to a data breach. There are many different reasons why a company is breached: Denial of Service Attacks, Malware Attacks, Password Attacks, and so many more! According to Verizon’s 2016 Data Breach Investigation Report, “63% of confirmed breaches involved weak, default or stolen passwords.” With that being said, I think it’s safe to say that majority of data breaches are due to bad passwords. Needless to say, creating a more secure password policy is a topic that needs to be discussed internally within every company.
When a hacker attempts to crack a user’s passwords, they are not just trying a few educational guesses in hopes that they either find the right one or they move on to someone else’s account to try a few more educational guesses. Instead, hackers have advanced technology and software that does all of the work for them.
On the internet, there are many different password cracking tools available for public use. One of the most well-known password cracking tools is called Cain and Abel, which is only available for Windows based systems. According to the Infosec Institute, Cain and Able “can work as sniffer in the network, cracking encrypted passwords using the dictionary attack, recording VoIP conversations, brute force attacks, cryptanalysis attacks, revealing password boxes, uncovering cached passwords, decoding scrambled passwords, and analyzing routing protocols.” Another popular tool is John The Ripper. This is a free software that is available for Mac OS X and Windows based systems and it can detect weak passwords. They do have a paid option that has many more beneficial features.
Besides Cain and Able and John The Ripper, OphCrack is a popular rainbow table tool and L0phtCrack cracks Windows passwords from hashes. For more information about rainbow tables, click here.
Microsoft’s LM hashing algorithm is insecure with their 7 character password segmentation and it is recommended that security professionals disable the LM hashing algorithm and use the NT hashing algorithm only. Click here to read more.
As you can see, there are so many tools available to crack passwords. Besides the tools that are available, let’s talk about a few of the methods a hacker can use to crack passwords.
1. Brute Force
A Brute Force password attack can be a very successful, but a slow process for cracking passwords. The program will attempt to guess passwords repeatedly until the password has been cracked or the list of predetermined passwords has been exhausted. Success for this attack is determined by the set of predetermined passwords. If the file is larger, then there is a larger probability of success. The attacks can take anywhere from a few minutes to a few years dependent upon the software used and the length of the password trying to be cracked. Longer passwords with multiple character sets take longer to crack.
2. Rainbow Tables
Rainbow Tables are a very successful method of cracking passwords that are 14 characters or less. Rainbow tables are enormous compilations of pre-computed hashed values of possible password combination. Basically, it allows hackers to reverse the hashing function to determine what the plaintext password might be. Once the appropriate hash has been found, the password is cracked. For Windows passwords up to 14 characters, these tables can have up to a 99.9% accuracy rating.
3. Hybrid Attacks
A Hybrid Attack is a password cracking technique that uses a combination of a Dictionary Attack and a Brute Force Attack. This type of password hacking combines dictionary words with numbers and special characters to try and gain access to a company’s network. It is typically used to target passwords made of a common dictionary word followed by a special character and/or number. Hybrid Attacks are extremely successful due to the fact that studies have shown how the typical user creates a password with a common dictionary word and then either one single letter and/or special character to meet the password policy requirements.
4. Dictionary Attacks
Dictionary Attacks are quite simple, yet they are very dangerous to companies. As stated previously, studies have shown that users like to create passwords with common “dictionary” words like password, summer, football, etc. In a Dictionary Attack, the password cracker tool will try common dictionary words as passwords until the hacker gains access to the company’s network.
With so many different password cracking methods, the thought of “How can I keep my company safe being the IT Administrator?” is probably on your mind. Truth be told, Microsoft Password Complexity is not secure nor strong enough to keep hackers away. Microsoft does not let you prohibit common dictionary words to prevent dictionary attacks, nor do they allow you to set the minimum character limit to 15 characters to prevent an attack via rainbow table. The only solution for this is a Windows based Password Filter. The nFront Password Filter allows you to create a customized dictionary file to prevent dictionary attacks and you are able to strengthen your password policy settings beyond what Microsoft currently allows. For more information on why the Windows Password Policy isn’t enough, click here.
Even if you are not the IT Administrator for your company and you’re an employee, take it upon yourself to create a stronger password. At least you can rest easy knowing that your password won’t be the reason your company is hacked. According to CNN Money, US companies lose $15.4 million per year due to hackings.
As I stated earlier, everyone has access to password cracking software tools. Do yourself and your company a favor and run one of these tools internally! There are many professionals, called penetration testers, who can conduct a formal penetration test for you with password cracking tools and show your company what the vulnerabilities are.