Imp3n3tr@ble5832: not an impenetrable password anymore
Let’s look at how you would fare against a determined modern hacker. Let’s say he wants to break into your online mail account or your social networking site (say, Facebook). He won’t even try to login through the website’s login screen — that’s too time consuming, plus the service will alert you, the real user, as soon as it notices someone trying to repeatedly login with the wrong password.
Instead, he will try to break into the database of the website. That’s where all user data (including your own) is stored. However, this database too, is protected by an extremely strong password that is known only to a handful of employees at the company that runs the website. The hacker can’t guess it. So he uses other methods. He’ll look for weaknesses in the server software or the database to try to sneak in without a password. He’ll try to trick or bribe an employee to help him. Either way, he gets in. It has happened many times to well known websites.
Once in, he goes to the database and looks at the passwords. But the password entries all look like gibberish. They’ve been hashed, or scrambled. This is for two reasons: first, except for you, no one should know your password, not even the developers and database administrators of the website. Second, they’re scrambled in case of just the sort of attack I’m describing right now — just because the database is protected by a password, you can’t assume that everything inside is fully protected.
We’ll talk about how hashing works later. All you need to know right now is that hashing is one way — you can’t unscramble a hashed password and get the original password any more than you can unscramble an omelet to get the egg back. So what does the hacker do? He just takes a copy of the database and gets out. He’ll work on the passwords at his leisure.
Even though the hacker can’t unscramble hashed passwords, he can do the opposite: let’s say he knows that at least one of the thousands of users in the stolen list has used ‘password123' as the password. He will use the same scrambling or hashing method on the string ‘password123' to generate a hash. Let’s say the hashed form of ‘password123' is ‘ndkwoenr39md30'. Now all he has to do is to check for ‘ndkwoenr39md30' in the list of password hashes. A match means the corresponding user’s password is ‘password123'.
Step #3: The dictionary attack
The hacker does not perform this attack by hand. Instead, he already has a massive table of millions and millions of entries. In the first column, it lists a possible password. In the second column, the hashed form. The table contains all the words in the dictionary and a variety of common passwords like ‘password123'. This is called a ‘rainbow table’. The hacker now sets up a program to automatically check the entire password list for hashes that are found in the rainbow table. It may sound tedious, but with today’s computing power, it doesn’t take very long. And our hacker is patient. He’s perfectly willing to let the program run for days.
At the end of the run, anybody who had a dictionary word or a common password form is found out by the hacker. The larger the list of users he stole, the more likely he’ll find people with poor passwords.
Step #4: Going beyond the dictionary attack
But you think you’re smart. You didn’t use a dictionary word. You didn’t even bother with adding numbers like 123, 456 or 666 to the end of your password because you know everybody does that. But you’re in for a surprise. Did you replace letters with look-alike symbols? For example, ‘p@$$w0rd’? That’s useless. The hacker’s table of guesses contains all such forms for every dictionary word. Did you mix upper and lower case letters? For example, PaSsWord? He’s got those in the list too. Did you use numbers like these in the password: 90210 (Beverly Hills ZIP code), 4815162342 (the numbers from the TV show Lost)? He’s got those too. How about R2D2C3PO (the droids from Star Wars)? He’s thought of it and then some. Did you use a French word? Too bad, he’s got the French dictionary in there too. How about a Klingon word from Star Trek or a spell from Harry Potter? Nope, hackers are usually more into these things than you are.
They’re all there in the table. Person names, place names — they’re all there. Did you reverse a dictionary word, or type it in twice? Guess what, he’s got those forms too. If the hacker is particularly thorough, his program will try every number from 0000 to 9999 along with every dictionary word. And he knows that numbers usually appear at the end of a password and upper case letters at the beginning. So even if your password is something like ‘Imp3n3tr@ble5832', the modern hacker can find it. For good measure, he may even try ‘Imp3n3tr@ble5832!’ (with an exclamation point at the end — another common variation).
You think you’re done for? Actually, the hacker’s only just begun. Let’s say the website’s developers are pretty smart themselves. They know about rainbow tables. So instead of just storing the the password’s hash in the database, they add a little piece of text to the password before hashing it. If your password is ‘password123', they’ll generate a random number or string and append that to the password before hashing it. So even though your password is ‘password123', the hash in the database may represent something like ‘password123n7ghwee’. This is called ‘salting’ the password and that piece of text added to the password is called a ‘salt’. This makes the hacker’s rainbow table useless, because the ‘salt’ is random — something he could not have guessed when he originally created his rainbow table. Even if the salt for each user is stored along with the password (which is usually the case), the hacker can’t use a rainbow table that he already has. He has to generate a new one from scratch (taking the salt into account) before he can start the comparison program. This is the point where most hackers give up.
But your hacker is not most hackers. He doesn’t keep a rainbow table with him. What he has instead, is a list of password guesses and a massive array of GPUs, or graphics processing units — powerful processors built for 3D computer games. His program takes your salt from the database, uses it to generate hashes for all the guesses in his password list and compares them against your password hash. The hashing function takes time to run, and there are millions of guesses in his password list, but he’s running the program on a veritable supercomputer. It may take days, but if the main portion of your password is a dictionary word, he will get you.
Step #6: Keep refining the guesses
Scared yet? There’s more. You’ve read up on password security. Maybe you’ve read the famous XKCD comic. You know that a ‘passphrase’ of several random dictionary words is better than the types of passwords we talked about above. You use a password like ‘correct horse battery staple’. Why? It’s long, but you can remember it without having to write it down (like you’d have to probably do with a password like ‘Imp3n3tr@ble5832'). If you think you’ve finally given the hacker the slip, you’re wrong. Yes, longer passwords are a lot harder to break than shorter ones. Yes, the 28-character ‘correct horse battery staple’ is a lot more secure than the 16- character ‘Imp3n3tr@ble5832'. Yes, it is a lot less likely to be in a hackers guess list. But you’re forgetting the massive GPU array. The hacker runs a program that generates random combinations of two, three or four dictionary words and tries it against your password hash. It’s going to take a while because the number of such combinations are very large, but it’s not impossible. If the hacker is really obsessive about it, he will just keep the program running for weeks until a match is found.
Let’s say the hacker’s program breaks a thousand passwords in a list of 20,000 in the first few days. But you’re not among the unlucky thousand. However, the hacker studies each new password he uncovers and tries to discover patterns in them. Remember, you’re not unique. If you thought of something, the chances are hundreds, if not thousands, of others have thought of it too. So when he sees more than a few occurrences of a certain pattern, he’ll include that in the program’s guessing function. For example, if the hacker notices passwords like ‘!password’ or ‘!canthackthis123', he’ll know to try the exclamation point at the beginning of passwords. So even if your password was ‘!Imp3n3tr@ble5832', you’re likely to get caught because others with dumber passwords used the same technique, exposing it to the hacker. In a well known real world case, a journalist with little or no hacking skills ran a password cracking program on a list of passwords (as a test, of course) and discovered many passwords that we would consider ‘hard to guess’. One of the passwords the program uncovered was ‘momof3g8kids’!
Excerpted from A Personal Internet Security Handbook
Email me when H.N. Leanage publishes or recommends stories