I cracked 40,000 passwords with Python. Yours might have been one of them.
Remember the good old days when you were passing love notes to your crush across the classroom? Chances are you’ve had to pass that note to your friend > another friend > and another friend before it reaches your crush. And friends are the worst; you can’t trust them with your secret message. In response, you probably established some kind of code between you and your crush beforehand. The message makes sense to both of you but appears as jibberish to the people in between. That’s what we called encryption.
🚨 JARGON ALERT: Encryption and hashing are similar; they make words become jibberish. The difference is encryption is reversible, while hashing is (almost) irreversible. For passwords, we use hashing.
HOW PASSWORDS ARE STORED IN COMPANIES
- Plain text (Can you hear me shaking my head?)
- Hashed passwords
- Salted hashed passwords
Responsible companies hash your passwords. They take the password you type into their sign-up page, make it jibberish, then store those jibberish words into their database. In the event a hacker flirts with your database administrator and gains access to the database, all he’ll see is just the jibberish stuff. They can’t just copy your jibberish password and paste it into the login page because the algorithm will make a jibberish out of the jibberish word. I’ll let that sink in.
Even more responsible companies salt your passwords. Meaning, they “add random characters at random position” to your password entries before sending it for hashing. For example, you enter a shitty password — “Password”. With salting, the algorithm probably adds a few characters to it till it becomes something like this “xyzPassword123”. “Password” is in the dictionary, however, “xyzPassword123” is not. This makes guessing the actual password way tougher ☝️.
SETTING EXPECTATIONS
In the next part of this article, I’m going to show you how hackers “decrypt” hashed password to the actual word (Well, they don’t actually decrypt, they guess). Then, I’m going to show you how it’s done in Python.
Before I proceed any further, I would like to point out that the purpose of this article is to show you the big picture; I will avoid being technical here. If I say anything technical, you will hear me saying sorry. Yes, I have oversimplified many things here. Cool? Let’s go.
HOW DICTIONARY ATTACKS WORK
In short, a dictionary attack (sorry!) is the cracking of a password, based on the words that appear in the dictionary (durh..). There are 3 steps to a dictionary attack.
- ACCESS to the (hashed) password list
- HASH all the words found in the English dictionary
- COMPARE the (hashed) English words with the (hashed) passwords
STAGE 1: ACCESS
Let me give you an example. Let’s say I flirted with a database administrator of a company and managed to gain access to the following 3 hashed passwords:
- 5f4dcc3b5aa765d61d8327deb882cf99
- 9b4609b17fea63f3f3f067fc2f465c6e
- 24ebcd0fd5d6b86649fb187d75f80ad0
STAGE 2: HASH
Using programming, I hashed all of the 350,000+ English words. I will use a hashing method called “md5” (sorry!). There are many hashing methods — MD5, SHA1, SHA2, SHA3 (sorry, sorry, sorry, sorry) etc.
STAGE 3: COMPARE
I then comb through all of the 370,000+ (hashed) English words. If I find a match, bingo! That’s the password.
Still confused? I have created a 20 second blockbuster movie below for you to see how it works.
PART 2: How I coded the dictionary attack in Python.
>>> Click here for the full article. I answered some FAQs that people have with regards to password security and also provide free download link to my Python file<<<
