Three password cracking techniques and how

to defend against them

Passwords are rarely appreciated until a security breach occurs; suffice to say, the
importance of a strong password becomes clear only when faced with the
consequences of a weak one. However, most end users are unaware of just how
vulnerable their passwords are to the most common password cracking
methods. The following are the three common techniques for cracking passwords
and how to defend against them.

Brute force attack

Brute force attacks are straightforward yet highly effective techniques for cracking
passwords. These attacks involve malicious actors using automated tools to
systematically try every possible password combination through repeated login
attempts. While such tools have existed for years, the advent of affordable
computing power and storage has made them even more efficient today, especially
when weak passwords are used.

How it works

When it comes to brute force attacks, malicious actors employ a range of tactics—
from simple brute force attacks that test every possible password combination to
more nuanced approaches like hybrid and reverse brute force attacks. Each method
has a distinct strategy behind it, but the motives behind brute force attacks are the
same: to gain unauthorized access to protected data or resources.
Some popular automated tools for carrying out brute force attacks include:
o John the Ripper: a multiplatform password cracker with support for 15
different operating systems and hundreds of hashes and cipher types
o L0phtCrack: a tool that uses rainbow tables, dictionaries, and multiprocessor
algorithms to crack Windows passwords
o Hashcat: a cracking/password recovery utility that supports five unique
modes of attack for over 300 highly-optimized hashing algorithms

Examples

Back in August 2021, U.S. mobile operator T-Mobile fell victim to a data breach that
started with a brute force attack. The security compromise resulted in the exposure
of over 37 million customer records containing sensitive data like social security
numbers, driver’s license information, and other personally identifiable data.

Defense measures
Users should choose strong, complex passwords and multi-factor authentication
(MFA) to protect against brute force attacks. Administrators should implement
account lockout policies and continuously audit their Windows environments for
weak and breached passwords. Tools like Specops Password Auditor can automate
these processes across expansive IT environments.

Dictionary attack
In a password dictionary attack, cyber attackers try to gain access by using a list of
common passwords or words from a dictionary. This predefined word list typically
includes the most often used words, phrases, and simple combinations (i.e.,
“admin123”). Password dictionary attacks underscore the importance of complex,
unique passwords, as these attack types are especially effective against weak or
easily guessable passwords.

How it works

The process starts with compiling a list of potential passwords from data breaches,
common password lists, or publicly available resources. Using an automated tool,
malicious actors perform a dictionary attack, systematically testing each password
against a target account or system. If a match is found, the hacker can gain access
and carry out subsequent attacks or movements.

Examples

Malicious actors used password dictionaries to crack hashed passwords in several

high-profile security incidents, such as the 2013 Yahoo data breach and the 2012
LinkedIn data breach. This allowed them to steal the account information of billions
of users.

Defense measures

When creating or resetting passwords, users should use a combination of letters,

numbers, and special characters, and avoid using common words or easily
guessable phrases. Administrators can implement password complexity
requirements in their policies to enforce these mandates across the organization.

Rainbow table attacks

A rainbow table attack uses a special table (i.e., a “Rainbow Table) made up of
precomputed strings or commonly used passwords and corresponding hashes to
crack the password hashes in a database.

How it works

Rainbow table attacks work by exploiting chains of hashing and reduction

operations to efficiently crack hashed passwords. Potential passwords are first
hashed and stored alongside their plaintext counterparts in the rainbow table, then
processed with a reduction function that maps them to new values, resulting in a
chain of hashes. This process is repeated multiple times to build the rainbow table.
When hackers obtain a hash list, they can reverse lookup each hash value in the
rainbow table—once a match is identified, the corresponding plaintext password is
exposed.

Examples

While salting (a method of adding random characters to passwords before hashing)

has reduced the effectiveness of rainbow table attacks, many hashes remain
unsalted; additionally, advances in GPUs and affordable hardware have eliminated
the storage limitations once associated with rainbow tables. As a result, these
attacks continue to be a likely tactic in current and future high-profile cyber-attacks.

Defense measures

As mentioned previously, salted hashes have significantly reduced the effectiveness

of precomputed tables; organizations should therefore implement strong hashing
algorithms (e.g., bcrypt, scrypt) in their password processes. Administrators should
also regularly update and rotate passwords to reduce the likelihood of rainbow table
dictionary matches/hits.
In short, passwords aren’t perfect, but complex and sufficiently long passphrases
remain a vital first line of defense against advanced password-cracking techniques.
Tools like Specops Policy provide an extra layer of protection by continuously
scanning Active Directory against a database of over 4 billion breached
passwords. Contact us for a free demo today.