How weak is your strong password?

This article will discuss an inherent issue in passwords and the tools and techniques used to crack passwords. This article intends to provide a case for the password-less digital world. Please note tools and techniques provided in this article are purely for educational purposes.

We will first explore key constructs

1. Passwords

2. Dictionary

3. Hashes

Password is a credential assumed to be in the user’s possession, and a combination of username and password can authenticate a user—password composed of alphanumeric and special characters. The character set used, along with the length of the password, will determine the pool of possible combinations. If you do the maths only for the 4-character password, the possibilities are 7,454,720.

This is a huge number and will grow exponentially as you increase the password length. However human brain cannot memorize an 8-character-long random password, particularly when you have multiple of them for different accounts. To create a simple, memorable password for their accounts, many people choose to connect them to something that they can easily recall. But that doesn’t make the password unique: actually, it’s quite the opposite!

This leads to another concept in password cracking called a dictionary. It is a compiled list of commonly used passwords. These lists are available to hackers as they narrow their search space for cracking passwords.

We come to the next concept in passwords which is hashing. Passwords are never stored in plain text; they generally go through a one-way cryptographic transformation. This transformation is one-way because you can’t reverse engineer them to get the original text. There are many hashing algorithms available. However, two of the most common hashing algorithms you will come across are MD5 and the SHA-* family of algorithms (SHA-1, SHA-2, SHA-3). Various operating systems may use different hashing algorithms, but the ideas are the same.

Many tools are available to crack passwords for ethical use to test systems against security threats. These tools can be used for online and offline attacks. These tools use the dictionary as input to try cracking passwords.

Type of password attacks…

1. Brute Force/Dictionary

In this attack, the tool will attempt to crack the passwords repeatedly until the password has been broken or the list of predetermined passwords has been exhausted. Success for this attack depends on the size of the dictionary.

2. Rainbow Tables

This method uses Rainbow tables which are pre-computed hashed values of possible passwords. It allows hackers to reverse the hashing function to determine what the plain text password might be.

3. Hybrid Attacks

A Hybrid Attack is a password cracking technique that combines dictionary words with numbers and special characters to try to break the passwords.

https://www.youtube.com/watch?v=v6HrphdXjOQ

Summary

As you have noticed, having something that is stored which can be guessed using widespread techniques makes customers vulnerable to attacks. With growing computation power at speed, this threat is more imminent than ever. It is time for the world to move to a password-less world, which renders such techniques useless and protects the user against such attacks.

OkularID is a unique digital identity management platform to authenticate and validate user credentials in the digital space. It is promoted by Aikaki Limited, focused on developing a user-centric digital identity wallet enabling users to share their credentials and digital assets and securely sign documents.