0% found this document useful (0 votes)
117 views

Unhashing Passwords: Asst. Prof. Rajesh Dhakad Rhythum Tamra

This document discusses password cracking and summarization techniques. It begins by noting that password cracking is challenging but important for digital forensic investigations. Common password patterns are then discussed, such as using personal information, dates, numbers, or following patterns like capitalization. Password hashing techniques are also summarized, including the use of salts and peppers to increase security. Finally, existing password cracking approaches are briefly outlined, such as dictionary attacks, brute force attacks, and rainbow tables. The document aims to improve dictionary attack success rates by considering common password patterns and personal information.

Uploaded by

rhythumt
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
117 views

Unhashing Passwords: Asst. Prof. Rajesh Dhakad Rhythum Tamra

This document discusses password cracking and summarization techniques. It begins by noting that password cracking is challenging but important for digital forensic investigations. Common password patterns are then discussed, such as using personal information, dates, numbers, or following patterns like capitalization. Password hashing techniques are also summarized, including the use of salts and peppers to increase security. Finally, existing password cracking approaches are briefly outlined, such as dictionary attacks, brute force attacks, and rainbow tables. The document aims to improve dictionary attack success rates by considering common password patterns and personal information.

Uploaded by

rhythumt
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Unhashing Passwords

Asst. Prof. Rajesh Dhakad Rhythum Tamra


Department of Computer Engineering Department of Computer Engineering
S.G.S.I.T.S. Indore, India S.G.S.I.T.S. Indore, India
Email Id: [email protected] Email Id: [email protected]

Abstract—In order to investigate various cyber crime cases, alphanumeric string output of fixed length; therefore they are
digital forensic examiners are required to forensically analyze also known as one-way functions. This is great for prevent-
the digital data. Occasionally, the investigators come across files ing passwords from being compromised, because passwords
which are password protected. Therefore, they need to crack
passwords to gain access to the data kept inside the files. should be stored in such a form that even if the password
Password cracking doesn’t appear to be a simple task, it involves file itself is compromised, passwords remain unreadable and
various challenges. It’s difficult to understand a person’s thought access to the information by illegitimate user is prevented.
process, how a person creates a password. Each and every one If two users keep the same password, then their password
of us has a different manner in which we create our password. hashes will also match. This can be prevented by randomizing
But still there exists some resemblance. Almost everyone make
use of information related to their personal life, people close to each hash, such that if the same password is hashed twice,
them while creating a password, to make it a memorable one. then each hash is different. Hashes can be randomized by
One more similarity is that, people also make use of certain appending or prefixing a random string, known as Salt, to the
patterns to keep their password secure as well as unforgettable. password before hashing. A salt is a random value (can be a
This research focuses towards such similarities. Various password text, numeric or an alphanumeric string) that is provided as an
patterns are exploited by taking user’s personal information into
account while creating a wordlist of possible passwords which can input to the hash function used to encrypt a password. A new
be used by Digital Forensic Investigators to crack passwords. salt is randomly generated for each password and is stored
This work also aims to spread awareness among people that by in the database along with the password hash. For creating a
just combining one’s personal information with certain patterns rainbow table, an attacker has to try all possible combinations
doesn’t make a password secure. Such combinations are easily with each and every salt available. This greatly increases the
guessable as a hacker can easily acquire our personal information protection of identifying insecure passwords and still has a
using social engineering and can use this to crack our passwords
positive benefit, as it is infeasible to create a rainbow table
and gain access to our personal data or our social accounts.
for every possible salt. There is one more term called Pepper.
Index Terms- Cracking Passwords, Dictionary Attacks, Social
Engineering, Password Profiling, Security, Digital Forensics, A pepper is a static value stored separately from the database
Password Security, Password Guessability, Password Hashes. (usually hard-coded in the application’s source code) which
is intended to be a secret. It is used so that a compromise of
I. INTRODUCTION the database would not cause the entire application’s password
table to be brute forced.
The use of passwords for securing data has been a usual
practice for many computer users since long back. Passwords
Even if these hashes seem to be secure, they are crackable.
are generally treated as a security mechanism to preserve the
Many tools and techniques exists which can recover the
confidentiality and privacy of data and files on computers.
passwords in their plain text form back from their encrypted
Various applications, softwares, files, spreadsheets etc. make
hash. Some of the most common techniques used today are
use of passwords for security purposes. Password protection
password decryption, brute-force attacks, dictionary attacks
not only guarantees the authentication of the user accessing the
and rainbow tables. Password decryption technique focuses
information or files, but in most cases it supports encryption of
on the weakness of the hashing algorithm used to create and
the entity which needs protection by considering password as
store the password hashes. If the hashing algorithm in use is
a secret key in symmetric key based cryptography algorithm.
not strong enough or if it is implemented incorrectly, then it
Encryption makes sure that the data remains confidential and
is possible to crack any password, regardless of its strength.
secure, such that access to the information can only be given to
Brute force attacks are used when the hash algorithm in use
a legitimate user. Therefore any person, who doesn’t possess
is strong enough and it is impossible to decrypt the password.
the password, won’t be able to gain access to the data or
Here each and every possible combination of alphabets, nu-
information.
merals and special characters is used for password cracking. It
Password hashing is an encryption technique through which is very time consuming. In a Dictionary attack, words from a
we can encrypt our passwords using a hash algorithm. A dictionary are used in order to guess password hashes. All the
hash algorithm also known as cryptographic hash function words present in the dictionary are hashed and matched against
is a function that converts an any length data string into an the given hash value. If a match is found then the password in
plain-text is obtained. There are chances of this attack being passwords. And people these days make use either of their
unsuccessful, since all possible combinations of words are not personal information or dictionary word, along with applying
tried. In a rainbow table attack, hash values of large number some common patterns on them, to make a password both
of passwords are pre-computed and stored corresponding to memorable and secure.
their plain-text form in a table format. The attacker checks for
the available hash value against the hash values present in the III. EXISTING APPROACHES AND TOOLS
pre-computed table. If a match is found, the attacker gets to Previous researches, indicated in this section, have been
know the password in plaintext. performed mostly in the fields related to password cracking,
digital forensics and password security. All the existing studies
In this paper a method is proposed to improve the success
assessed below are inclined towards enhancing the efficiency
rates of dictionary attacks. Usually, people aren’t very good
of cracking passwords.
at recalling passwords. They mostly choose a password as
R. Veras, J.Thrope, and C. Collins[2] analyzed password
either their pet’s name or friend’s name or information related
patterns, but their research was limited only to numbers and
to their relatives. A password can also be comprised of dates
various date patterns used by user’s in their passwords.
(marriage date, date of birth), contact numbers, car registration
T. Wu[3] studied the password security of a Kerberos
number and other simple combinations like, 123456, abcdef,
domain consisting of 25 thousand users. Their work included
qwerty etc. People also follow several similar patterns like
cracking passwords including dictionary words, along with
capitalizing first alphabet, appending or prefixing a certain
applying some patterns on it, like Suffixing, Prefixing, Capi-
numbers or special characters to a dictionary word or their
talizing, Doubling and Reversing.
name or replacing a character/word with either a number or
S. Houshmand and S. Aggarwal[4] proposed a new system,
a special character. People are also hesitant to use more than
namely AMP (Analyzer and Modifier for Passwords) which
one or two passwords for everything, so if a password can be
analyses a password’s strength by evaluating the possibility of
guessed for one file or application or website, it may work
it being cracked. They then apply some modifications, some
upon others also. A huge number of leaked passwords were
patterns to the weak password in order to increase its strength,
studied and analyzed in order to find out various patterns
thereby creating a strong password.
and the way people use their personal information to form
M. L. Mazurek et al.[5] studied and analyzed the passwords
a password. A software tool is developed, namely, PBPP
of around 25 thousand members (including faculties, general
(Pattern based Password Profiler), which takes as input user’s
staff and students) of a university. During their analysis they
personal profile and generate a wordlist of probable passwords
found that few members of the university population create
formed using applying certain combinations on user’s personal
more secure passwords than others. For example, passwords
information, like combining their birth date and name and
of computer science students are 1.8 times stronger than that
many more. Further this wordlist can be given as input to
of the business school students.
the Affixing Patterns module of the tool, where it will apply
Simon Marechal[6] studied several techniques used in
certain patterns to each and every word of the wordlist and
various tools in order to improve the process of cracking
generates a patterned wordlist of passwords. Dictionary files
passwords. His work also addresses the problems faced in
can also be given as input to this module.
implementation and algorithmic optimizations, the use of the
II. MOTIVATION Markov chains tool and special purpose hardware.
CUPP (Common User Password Profiler) [7] is a cross
Many researches have being conducted in the field of
platform tool that creates a wordlist by taking into account
password security and password cracking, in the past. This
a person’s personal profile. CUPP asks user questions like
research has been motivated by one such research, done by
their name, their spouse’s name, their child’s name, etc. and
Emin Islam Tatli [1]. His research tool, PBP (Pattern based
then generates a password wordlsit based on the entered
Password) Generator makes use of a combination of dictionary
information.
words and multiple patterns (analysed from leaked passwords)
WYD (Who’s Your Daddy) [8] is a tool which extracts
like Appending, Prefixing, Inserting, Replacing, Sequencing,
strings or words from the directories and files supplied to it.
Replacing, Reversing, Capitalizing, Special Format & Mixed
It parses the files according to their types and extracts useful
Pattern, to generate a unique pattern based password list whose
information from them, like their name, description, content
hashes can help forensic investigators in cracking passwords.
etc.
His approach to apply patterns to dictionary words, gave rise
to our Affixing Patterns module. IV. PROPOSED APPROACH
The idea for Password Profiler module was conceived by a The proposed module takes a user’s profile into account and
mere observance. It happened when a known person’s pass- generates a possible word-list of passwords. The proposed tool
word on a social networking site matched their friend’s name. is composed of 3 different modules, namely, Password Profiler,
This gave rise to the thought of collecting, a person’s personal Affixing Patterns and Hash Value Generator. Each module
information through social engineering and then using it to functions independently. The subsequent sections explain the
form combinations, which can be proved to be one of their working of individual module.
A. Password Profiler numbers and special characters, it should contain a capital
alphabet too and that it should be at least 8 characters in
length. But what we are unaware of is, that by making use of
certain patterns in order to fulfill these guidelines won’t make
our password secure. We often use patterns like appending
or prefixing a string after or before a dictionary word (like
123, @123, 123#, etc.), capitalizing of either first or last
alphabet, replacing an alphabet with either a number or a
special character, reversing a dictionary words, making use of
keyboard sequences (eg. qwerty, 12345) etc. while creating our
password. But these patterns can be used to generate a word-
list of pattern based passwords which in turn can be used
for cracking passwords. This is what the module ”Affixing
Patterns” does.
Fig. 1: Architecture of PBPP (Pattern Based Password This module takes as input a text file which can be a
Profiler) dictionary file and apply some patterns on each and every
word of the text file. As output we get a text file consisting
of a word-list of unique pattern based passwords.
This module takes user’s information as input and will then
generate a unique word-list of probable passwords formed 1) Algorithm to implement Affixing Patterns:
using combinations of user supplied information. As humans • Input: Text file including words to be patterned; with
generally include their surroundings or their personal profile each word on a new line.
in their passwords. • Output: Text file containing words with patterns applied
on them; with each word on a new line.
Information entered about suspect (user) is:
• Algorithm:
• Suspect’s name, nickname, DOB, contact and email.
– Step 1: Read words from the text file.
• Parent’s name, nickname, DOB and contact.
– Step 2: Apply patterns on each and every word and
• Sibling’s name, nickname, DOB and contact.
store it in another file. Patterns applied are:
• Spouse’s name, nickname, DOB and contact.
1) Appending number combinations, special char-
• Children’s name, nickname, DOB and contact.
acters, dates
• Friend’s name.
2) Prefixing number combinations, special charac-
• Pet’s name.
ters, dates
• Vehicle number.
3) Reversing a word
• Keywords related to suspect (like Doctor, Engineer,
4) Capitalizing first, second, last, second-last, all
Foodie etc.)
alphabets of a word
1) Algorithm to implement Password Profiler: 5) Replacing certain alphabet or word with digits or
• Input: Suspect’s Information. special characters
• Output: Text file containing possible passwords in plain 6) Mixed Patterns including combination of above
text, based on suspect’s profile; with each password on a mentioned patterns
new line. – Step 3: Remove duplicate words.
• Algorithm:
C. Hash Generator
– Step 1: Store information entered by use in variables.
This module takes as input a text file containing words
– Step 2: Apply some combinations on suspect’s infor-
in plain text (each word in a new line) along with the hash
mation and store each word in a file. Combinations
algorithm to be applied and then outputs a text file containing
such as:
hash values of those words.
1) Reversing each word
2) Combining name and date of birth 1) Algorithm to implement Hash File Generator:
3) Combining first name, last name and nickname • Input: Text file including words to be hashed; with each
4) Combinations from date of birth word on a new line and the hash algorithm to be applied.
5) Combining keywords with other information etc. • Output: Text file containing hash values of words; with

– Step 3: Remove duplicate words. each hash value on a new line.


• Algorithm:
B. Affixing Patterns – Step 1: Read words from the text file.
Guidelines for a secure password as specified by various – Step 2: Apply the specified hash algorithm on each
sites include that it should be a combination of alphabets, word of the file.
– Step 3: Simultaneously store each hash value on a C. Discussion
new line in another text file. As per the observation from testing done on various persons,
the proposed approach gives better results in terms of more
V. TESTING AND RESULTS password being cracked and higher accuracy being achieved.
The experiments were performed to compare the number of The improvement in number of passwords being cracked is due
passwords being cracked through existing approaches and the to increased wordlist, password profiling and affixing patterns.
proposed approach. For this purpose the personal information VI. CONCLUSION AND FUTURE WORK
of 125 people and their passwords were used. The Hashcat
The development of tools for password cracking has greatly
tool was used for cracking passwords along with the wordlist
increased in order to assist Digital Forensic Investigators.
generated by the proposed approach.
However, most of these tools focus on cracking passwords in
general rather than targeting on the person whose password
A. Testing on the Proposed Approach
is to be cracked. This research has focused on cracking a
The performance of the proposed approach is tested by password through a person’s profile along with dictionary files.
executing the proposed model on a large audience. Procedure
followed in testing is as follows:
The tests performed clearly showed that people mostly
• Google form asking for a person’s personal information include their surroundings or certain patterns in their pass-
was made and circulated. words in order to keep it memorable rather than secure. PBPP
• This information was then entered in to the Pass- takes into account both a person’s profile and dictionary files
word Profiler module of PBPP. A text file (UniqueSus- to crack a person’s password. It can generally help digital
pect’sProfile.txt) containing possible password wordlist forensic investigators for cracking passwords more efficiently
formed using user’s personal information was generated. as compared to the existing techniques.
• UniqueSuspect’sProfile.txt was then provided as input to
the Affixing Patterns module. A text file (UniquePat- The proposed approach includes following limitations:
terns.txt) containing a wordlist of patterns applied to the • The proposed approach is not time efficient. It focuses
words of the input file is generated. more on accuracy.
• A text file is made consisting of passwords provided by • The proposed approach isn’t 100% successful in cracking
the users in the Google form. This text file is given as passwords. As it can’t crack random passwords that does
input to the Hash File Generator module along with the not include any dictionary word or which doesn’t relate
hash algorithm to be applied. A text file (Hash File.txt) is to suspect’s personal profile or which doesn’t include a
generated which consists hash values of the words present pattern.
in the input file.
The future directions to this research include:
• Various dictionary files were also provided as input to
the Pattern Generator module, as a password can also be • New patterns can be added along with the extended ones.

formed by using a dictionary word, with some patterns • More information related to a suspect can be included.

applied on it. • The proposed approach can be made more time efficient.

• Various dictionary files along with the suspect’s wordlist R EFERENCES


generated by the tool and Hash File.txt (Hash file of
[1] Emin Islam Tatli, “Cracking More Password Hashes with Patterns” in
passwords supplied by people in the google form) was IEEE transactions on Information Forensics and Security, Vol. 10, No.8,
provided as an input to the Hashcat tool. August 2015..
• A match found would result in a password being cracked. [2] R. Veras, J.Thrope, and C. Collins, “Visualizing semantics in passwords:
The role of dates” in Proc. 9th Int. Symp. Vis. Cyber Secur. (VizSec),
2012, pp.88-95.
B. Results [3] T. Wu, “A real world analysis of Kerberos password security” in Proc.
Netw. Distrib. Syst. Secur. Symo., 1999 [Online].
The results obtained after testing were as follows: [4] S. Houshmand and S. Aggarwal, “Building better passwords using
probabilistic techniques” in Proc. 28th Annu. Compu. Secur. Appl. Conf.
• Out of 125 people, 92 people’s passwords were cracked, (ACSAC), 2012, pp 364-372.
which means a success rate of 73.6% was achieved by [5] M. L. Mazurek et al., “Measuring Password guessability for an entire
PBPP. university”, in Proc. ACM SIGAC Conf. Comput. Commun. Secur. (CCS),
2013, pp. 173-186.
• Out of those 73.6%, 89.13% of passwords were cracked [6] Simon Marechal, ”Advances in Password Cracking”, in Journal of
using User’s profile, and the rest 10.86% using Dictionary Computer Virology and Hacking Techniques, Springer, February 2008,
files. Volume 4, Issue 1, pp 73–81 pp. 73-81
[7] McClure, S., Scambray, J. and Kurtz, G. (2009). ”Hacking Exposed 6:
• On the same data, other password cracking tools gave the Network Security secrets and solutions.” U.S.A.: McGraw Hill.
following results: [8] GitHub - Mebus/cupp: Common User Password Profiler (CUPP) [On-
line]. Available: https://github.com/Mebus/cupp
– CUPP: 36% passwords were cracked. [9] Wyd - Automated Password Profiling Tool [Online]. Available:
– Wyd: 0% passwords were cracked. https://www.darknet.org.uk/2006/11/wyd-automated-password-profiling-
– Pbp Generator: 10.4% passwords were cracked. tool/

You might also like