Unhashing Passwords
Asst. Prof. Rajesh Dhakad
Department of Computer Engineering
S.G.S.I.T.S. Indore, India
Email Id:
[email protected]
Email Id:
[email protected]
Abstract—In order to investigate various cyber crime cases,
digital forensic examiners are required to forensically analyze
the digital data. Occasionally, the investigators come across files
which are password protected. Therefore, they need to crack
passwords to gain access to the data kept inside the files.
Password cracking doesn’t appear to be a simple task, it involves
various challenges. It’s difficult to understand a person’s thought
process, how a person creates a password. Each and every one
of us has a different manner in which we create our password.
But still there exists some resemblance. Almost everyone make
use of information related to their personal life, people close to
them while creating a password, to make it a memorable one.
One more similarity is that, people also make use of certain
patterns to keep their password secure as well as unforgettable.
This research focuses towards such similarities. Various password
patterns are exploited by taking user’s personal information into
account while creating a wordlist of possible passwords which can
be used by Digital Forensic Investigators to crack passwords.
This work also aims to spread awareness among people that by
just combining one’s personal information with certain patterns
doesn’t make a password secure. Such combinations are easily
guessable as a hacker can easily acquire our personal information
using social engineering and can use this to crack our passwords
and gain access to our personal data or our social accounts.
Index Terms- Cracking Passwords, Dictionary Attacks, Social
Engineering, Password Profiling, Security, Digital Forensics,
Password Security, Password Guessability, Password Hashes.
I. INTRODUCTION
The use of passwords for securing data has been a usual
practice for many computer users since long back. Passwords
are generally treated as a security mechanism to preserve the
confidentiality and privacy of data and files on computers.
Various applications, softwares, files, spreadsheets etc. make
use of passwords for security purposes. Password protection
not only guarantees the authentication of the user accessing the
information or files, but in most cases it supports encryption of
the entity which needs protection by considering password as
a secret key in symmetric key based cryptography algorithm.
Encryption makes sure that the data remains confidential and
secure, such that access to the information can only be given to
a legitimate user. Therefore any person, who doesn’t possess
the password, won’t be able to gain access to the data or
information.
Password hashing is an encryption technique through which
we can encrypt our passwords using a hash algorithm. A
hash algorithm also known as cryptographic hash function
is a function that converts an any length data string into an
Rhythum Tamra
Department of Computer Engineering
S.G.S.I.T.S. Indore, India
alphanumeric string output of fixed length; therefore they are
also known as one-way functions. This is great for prevent-
ing passwords from being compromised, because passwords
should be stored in such a form that even if the password
file itself is compromised, passwords remain unreadable and
access to the information by illegitimate user is prevented.
If two users keep the same password, then their password
hashes will also match. This can be prevented by randomizing
each hash, such that if the same password is hashed twice,
then each hash is different. Hashes can be randomized by
appending or prefixing a random string, known as Salt, to the
password before hashing. A salt is a random value (can be a
text, numeric or an alphanumeric string) that is provided as an
input to the hash function used to encrypt a password. A new
salt is randomly generated for each password and is stored
in the database along with the password hash. For creating a
rainbow table, an attacker has to try all possible combinations
with each and every salt available. This greatly increases the
protection of identifying insecure passwords and still has a
positive benefit, as it is infeasible to create a rainbow table
for every possible salt. There is one more term called Pepper.
A pepper is a static value stored separately from the database
(usually hard-coded in the application’s source code) which
is intended to be a secret. It is used so that a compromise of
the database would not cause the entire application’s password
table to be brute forced.
Even if these hashes seem to be secure, they are crackable.
Many tools and techniques exists which can recover the
passwords in their plain text form back from their encrypted
hash. Some of the most common techniques used today are
password decryption, brute-force attacks, dictionary attacks
and rainbow tables. Password decryption technique focuses
on the weakness of the hashing algorithm used to create and
store the password hashes. If the hashing algorithm in use is
not strong enough or if it is implemented incorrectly, then it
is possible to crack any password, regardless of its strength.
Brute force attacks are used when the hash algorithm in use
is strong enough and it is impossible to decrypt the password.
Here each and every possible combination of alphabets, nu-
merals and special characters is used for password cracking. It
is very time consuming. In a Dictionary attack, words from a
dictionary are used in order to guess password hashes. All the
words present in the dictionary are hashed and matched against
the given hash value. If a match is found then the password in
plain-text is obtained. There are chances of this attack being passwords. And people these days make use either of their
unsuccessful, since all possible combinations of words are not personal information or dictionary word, along with applying
tried. In a rainbow table attack, hash values of large number some common patterns on them, to make a password both
of passwords are pre-computed and stored corresponding to memorable and secure.
their plain-text form in a table format. The attacker checks for
the available hash value against the hash values present in the III. EXISTING APPROACHES AND TOOLS
pre-computed table. If a match is found, the attacker gets to Previous researches, indicated in this section, have been
know the password in plaintext. performed mostly in the fields related to password cracking,
digital forensics and password security. All the existing studies
In this paper a method is proposed to improve the success
assessed below are inclined towards enhancing the efficiency
rates of dictionary attacks. Usually, people aren’t very good
of cracking passwords.
at recalling passwords. They mostly choose a password as
R. Veras, J.Thrope, and C. Collins[2] analyzed password
either their pet’s name or friend’s name or information related
patterns, but their research was limited only to numbers and
to their relatives. A password can also be comprised of dates
various date patterns used by user’s in their passwords.
(marriage date, date of birth), contact numbers, car registration
T. Wu[3] studied the password security of a Kerberos
number and other simple combinations like, 123456, abcdef,
domain consisting of 25 thousand users. Their work included
qwerty etc. People also follow several similar patterns like
cracking passwords including dictionary words, along with
capitalizing first alphabet, appending or prefixing a certain
applying some patterns on it, like Suffixing, Prefixing, Capi-
numbers or special characters to a dictionary word or their
talizing, Doubling and Reversing.
name or replacing a character/word with either a number or
S. Houshmand and S. Aggarwal[4] proposed a new system,
a special character. People are also hesitant to use more than
namely AMP (Analyzer and Modifier for Passwords) which
one or two passwords for everything, so if a password can be
analyses a password’s strength by evaluating the possibility of
guessed for one file or application or website, it may work
it being cracked. They then apply some modifications, some
upon others also. A huge number of leaked passwords were
patterns to the weak password in order to increase its strength,
studied and analyzed in order to find out various patterns
thereby creating a strong password.
and the way people use their personal information to form
M. L. Mazurek et al.[5] studied and analyzed the passwords
a password. A software tool is developed, namely, PBPP
of around 25 thousand members (including faculties, general
(Pattern based Password Profiler), which takes as input user’s
staff and students) of a university. During their analysis they
personal profile and generate a wordlist of probable passwords
found that few members of the university population create
formed using applying certain combinations on user’s personal
more secure passwords than others. For example, passwords
information, like combining their birth date and name and
of computer science students are 1.8 times stronger than that
many more. Further this wordlist can be given as input to
of the business school students.
the Affixing Patterns module of the tool, where it will apply
Simon Marechal[6] studied several techniques used in
certain patterns to each and every word of the wordlist and
various tools in order to improve the process of cracking
generates a patterned wordlist of passwords. Dictionary files
passwords. His work also addresses the problems faced in
can also be given as input to this module.
implementation and algorithmic optimizations, the use of the
II. MOTIVATION Markov chains tool and special purpose hardware.
CUPP (Common User Password Profiler) [7] is a cross
Many researches have being conducted in the field of
platform tool that creates a wordlist by taking into account
password security and password cracking, in the past. This
a person’s personal profile. CUPP asks user questions like
research has been motivated by one such research, done by
their name, their spouse’s name, their child’s name, etc. and
Emin Islam Tatli [1]. His research tool, PBP (Pattern based
then generates a password wordlsit based on the entered
Password) Generator makes use of a combination of dictionary
information.
words and multiple patterns (analysed from leaked passwords)
WYD (Who’s Your Daddy) [8] is a tool which extracts
like Appending, Prefixing, Inserting, Replacing, Sequencing,
strings or words from the directories and files supplied to it.
Replacing, Reversing, Capitalizing, Special Format & Mixed
It parses the files according to their types and extracts useful
Pattern, to generate a unique pattern based password list whose
information from them, like their name, description, content
hashes can help forensic investigators in cracking passwords.
etc.
His approach to apply patterns to dictionary words, gave rise
to our Affixing Patterns module. IV. PROPOSED APPROACH
The idea for Password Profiler module was conceived by a The proposed module takes a user’s profile into account and
mere observance. It happened when a known person’s pass- generates a possible word-list of passwords. The proposed tool
word on a social networking site matched their friend’s name. is composed of 3 different modules, namely, Password Profiler,
This gave rise to the thought of collecting, a person’s personal Affixing Patterns and Hash Value Generator. Each module
information through social engineering and then using it to functions independently. The subsequent sections explain the
form combinations, which can be proved to be one of their working of individual module.
A. Password Profiler
Fig. 1: Architecture of PBPP (Pattern Based Password
Profiler)
This module takes user’s information as input and will then
generate a unique word-list of probable passwords formed
using combinations of user supplied information. As humans
generally include their surroundings or their personal profile
in their passwords.
Information entered about suspect (user) is:
• Suspect’s name, nickname, DOB, contact and email.
• Parent’s name, nickname, DOB and contact.
• Sibling’s name, nickname, DOB and contact.
• Spouse’s name, nickname, DOB and contact.
• Children’s name, nickname, DOB and contact.
• Friend’s name.
• Pet’s name.
• Vehicle number.
• Keywords related to suspect (like Doctor, Engineer,
Foodie etc.)
1) Algorithm to implement Password Profiler:
• Input: Suspect’s Information.
• Output: Text file containing possible passwords in plain
text, based on suspect’s profile; with each password on a
new line.
• Algorithm:
– Step 1: Store information entered by use in variables.
– Step 2: Apply some combinations on suspect’s infor-
mation and store each word in a file. Combinations
such as:
1) Reversing each word
2) Combining name and date of birth
3) Combining first name, last name and nickname
4) Combinations from date of birth
5) Combining keywords with other information etc.
– Step 3: Remove duplicate words.
B. Affixing Patterns
Guidelines for a secure password as specified by various
sites include that it should be a combination of alphabets,
numbers and special characters, it should contain a capital
alphabet too and that it should be at least 8 characters in
length. But what we are unaware of is, that by making use of
certain patterns in order to fulfill these guidelines won’t make
our password secure. We often use patterns like appending
or prefixing a string after or before a dictionary word (like
123, @123, 123#, etc.), capitalizing of either first or last
alphabet, replacing an alphabet with either a number or a
special character, reversing a dictionary words, making use of
keyboard sequences (eg. qwerty, 12345) etc. while creating our
password. But these patterns can be used to generate a word-
list of pattern based passwords which in turn can be used
for cracking passwords. This is what the module ”Affixing
Patterns” does.
This module takes as input a text file which can be a
dictionary file and apply some patterns on each and every
word of the text file. As output we get a text file consisting
of a word-list of unique pattern based passwords.
1) Algorithm to implement Affixing Patterns:
• Input: Text file including words to be patterned; with
each word on a new line.
• Output: Text file containing words with patterns applied
on them; with each word on a new line.
• Algorithm:
– Step 1: Read words from the text file.
– Step 2: Apply patterns on each and every word and
store it in another file. Patterns applied are:
1) Appending number combinations, special char-
acters, dates
2) Prefixing number combinations, special charac-
ters, dates
3) Reversing a word
4) Capitalizing first, second, last, second-last, all
alphabets of a word
5) Replacing certain alphabet or word with digits or
special characters
6) Mixed Patterns including combination of above
mentioned patterns
– Step 3: Remove duplicate words.
C. Hash Generator
This module takes as input a text file containing words
in plain text (each word in a new line) along with the hash
algorithm to be applied and then outputs a text file containing
hash values of those words.
1) Algorithm to implement Hash File Generator:
• Input: Text file including words to be hashed; with each
word on a new line and the hash algorithm to be applied.
• Output: Text file containing hash values of words; with
each hash value on a new line.
• Algorithm:
– Step 1: Read words from the text file.
– Step 2: Apply the specified hash algorithm on each
word of the file.
 – Step 3: Simultaneously store each hash value on a
new line in another text file.
V. TESTING AND RESULTS
The experiments were performed to compare the number of
passwords being cracked through existing approaches and the
proposed approach. For this purpose the personal information
of 125 people and their passwords were used. The Hashcat
tool was used for cracking passwords along with the wordlist
generated by the proposed approach.
A. Testing on the Proposed Approach
The performance of the proposed approach is tested by
executing the proposed model on a large audience. Procedure
followed in testing is as follows:
• Google form asking for a person’s personal information
was made and circulated.
• This information was then entered in to the Pass-
word Profiler module of PBPP. A text file (UniqueSus-
pect’sProfile.txt) containing possible password wordlist
formed using user’s personal information was generated.
• UniqueSuspect’sProfile.txt was then provided as input to
the Affixing Patterns module. A text file (UniquePat-
terns.txt) containing a wordlist of patterns applied to the
words of the input file is generated.
• A text file is made consisting of passwords provided by
the users in the Google form. This text file is given as
input to the Hash File Generator module along with the
hash algorithm to be applied. A text file (Hash File.txt) is
generated which consists hash values of the words present
in the input file.
• Various dictionary files were also provided as input to
the Pattern Generator module, as a password can also be
formed by using a dictionary word, with some patterns
applied on it.
• Various dictionary files along with the suspect’s wordlist
generated by the tool and Hash File.txt (Hash file of
passwords supplied by people in the google form) was
provided as an input to the Hashcat tool.
• A match found would result in a password being cracked.
B. Results
The results obtained after testing were as follows:
• Out of 125 people, 92 people’s passwords were cracked,
which means a success rate of 73.6% was achieved by
PBPP.
• Out of those 73.6%, 89.13% of passwords were cracked
using User’s profile, and the rest 10.86% using Dictionary
files.
• On the same data, other password cracking tools gave the
following results:
– CUPP: 36% passwords were cracked.
– Wyd: 0% passwords were cracked.
– Pbp Generator: 10.4% passwords were cracked.
C. Discussion
As per the observation from testing done on various persons,
the proposed approach gives better results in terms of more
password being cracked and higher accuracy being achieved.
The improvement in number of passwords being cracked is due
to increased wordlist, password profiling and affixing patterns.
VI. CONCLUSION AND FUTURE WORK
The development of tools for password cracking has greatly
increased in order to assist Digital Forensic Investigators.
However, most of these tools focus on cracking passwords in
general rather than targeting on the person whose password
is to be cracked. This research has focused on cracking a
password through a person’s profile along with dictionary files.
The tests performed clearly showed that people mostly
include their surroundings or certain patterns in their pass-
words in order to keep it memorable rather than secure. PBPP
takes into account both a person’s profile and dictionary files
to crack a person’s password. It can generally help digital
forensic investigators for cracking passwords more efficiently
as compared to the existing techniques.
The proposed approach includes following limitations:
• The proposed approach is not time efficient. It focuses
more on accuracy.
• The proposed approach isn’t 100% successful in cracking
passwords. As it can’t crack random passwords that does
not include any dictionary word or which doesn’t relate
to suspect’s personal profile or which doesn’t include a
pattern.
The future directions to this research include:
• New patterns can be added along with the extended ones.
• More information related to a suspect can be included.
• The proposed approach can be made more time efficient.
R EFERENCES
[1] Emin Islam Tatli, “Cracking More Password Hashes with Patterns” in
IEEE transactions on Information Forensics and Security, Vol. 10, No.8,
August 2015..
[2] R. Veras, J.Thrope, and C. Collins, “Visualizing semantics in passwords:
The role of dates” in Proc. 9th Int. Symp. Vis. Cyber Secur. (VizSec),
2012, pp.88-95.
[3] T. Wu, “A real world analysis of Kerberos password security” in Proc.
Netw. Distrib. Syst. Secur. Symo., 1999 [Online].
[4] S. Houshmand and S. Aggarwal, “Building better passwords using
probabilistic techniques” in Proc. 28th Annu. Compu. Secur. Appl. Conf.
(ACSAC), 2012, pp 364-372.
[5] M. L. Mazurek et al., “Measuring Password guessability for an entire
university”, in Proc. ACM SIGAC Conf. Comput. Commun. Secur. (CCS),
2013, pp. 173-186.
[6] Simon Marechal, ”Advances in Password Cracking”, in Journal of
Computer Virology and Hacking Techniques, Springer, February 2008,
Volume 4, Issue 1, pp 73–81 pp. 73-81
[7] McClure, S., Scambray, J. and Kurtz, G. (2009). ”Hacking Exposed 6:
Network Security secrets and solutions.” U.S.A.: McGraw Hill.
[8] GitHub - Mebus/cupp: Common User Password Profiler (CUPP) [On-
line]. Available: https://github.com/Mebus/cupp
[9] Wyd - Automated Password Profiling Tool [Online]. Available:
https://www.darknet.org.uk/2006/11/wyd-automated-password-profiling-
tool/