From a Pen-tester: Password Advice — How We Break Them, What Yours Should Be, and Why

Rich Amies
Nov 20, 2020 · 8 min read

A couple of family members have had warnings this week from the exceedingly awesome site Have I Been Pwned, that their details have been found in the wild. So, this is my attempt at making something easy to read and understand for my parents, siblings, and anyone else who may not be the most technically minded, but recognize the need to try and be safe.

Something that needs pointing out — you’re not really a target. The vast majority of people out there are of little net value individually — it’s not worth a hacker’s time to try and crack their way into your account where you have maybe a couple of grand in the bank and an average line of credit.

It’s far more worthwhile for me to hack a server containing 100,000 accounts — if 1% of those are readily available to me using simple or re-used passwords, it’s game on. Because another 1–5% will still be fairly trivial to break as well — why bother with you, when I can have 7000 of you?

Your password needs to be strong in two ways — not easy for an adversary to guess in order to hack you on an individual level, but also difficult for an adversary to decode and use your credentials if they’ve been stolen from a server online. You weren’t the target for the breach, but you’re certainly a potential target from that point on.

Passwords are your keys to your valuable assets — whether it be your email provider, your bank, your mobile phone provider, an internet forum where you discuss dogs, cars or parenting — and pretty much everything in between.

Each of these can be likened to a room in your home with a lock. Some rooms have very important contents — the office with the filing cabinet, the garage with the expensive mountain bike. Some rooms are trivial and you stand to lose relatively little if anyone gains entry — the bathroom with the bleach, the dining room with the accumulation of little-value books or soft toys in the cupboard. But you’d automatically understand why you’d want to use a different key for each room, right?

Re-using your password means anyone who steals the key to your bathroom can enter your office, kitchen, garage — which isn’t what you want. Use a unique password to help limit access if those credentials are stolen, or broken using other means. “1luvDog$” is strong enough for the most trivial of accounts — and technically good enough for a fair few sites, we have 8 characters, uppercase, lowercase, numeric and a special character.

In general, on all but the weakest of sites, your password will be stored in a database in a hashed format alongside your other details — email address, your username on the site, maybe some additional personally identifiable information including your name and location, etc.

Wikipedia has a lot of information on it — in very simple terms, a hash function takes whatever content you provide it with, and uses a one-way formula to create a fixed-length value against it, which ought to be unique to the provided content. Hashes are relatively quick to create, but very difficult to reverse — to be honest, we can’t do it in the majority of cases. Rather than try and reverse it, we’d throw everything at recreating the hash just by brute-forcing.

Let’s make some passwords, and store them in a similar way to how they’re kept online:

Image for post
Image for post
image by author

Reading through the above, hopefully you can see I’ve made 11 passwords. They may or may not seem similar to something you’d use and think is acceptable. Some are longer than others, some very simple, some a little longer, and some more complex than others.

The yellow section in the second half is the password stored on the server after going through the one-way hashing function(MD5, in this case). They look totally random and give no clue as to the length of the original password — the value is the same length whether the original password was 6 characters or 29.

Let’s break them. I have a fairly modern, fairly modest (£150ish) graphics card. We’ll use that as in reality, it’s a super little device for calculating things like this. Computing graphics for games is exactly what it’s made for — computing hashes is a task that fits this tool very nicely.

There are two methods available to me right now — I can break them against a list of known passwords (yes, there are people who collate this information for future use, because people often re-use their password on more than one site), and I can brute-force the ones not on the list. Let’s see how long it takes.

I’ll start with a fairly large, very well-known list of passwords often used: rockyou.txt

Image for post
Image for post
image by author

It found 7 of the 11 passwords — which is expected as I deliberately picked them from it — and took less than 10 seconds from beginning to end. Pause for a moment there and consider that more than half of the passwords were found from just a single publicly-known wordlist, created just for this very purpose. Then pause again to reflect on the fact there were 14 million passwords in that file, and the entire file was used up in under 10 seconds. Once your details are leaked, and a password is derived from that leak, it’s very quick to check that password against other known information leaks.

Moving forward, I’ll try and brute-force the rest by trying every possible combination of characters possible. This takes much longer, as the possibilities are very significant — uppercase and lowercase alone gives 52 possibilities for each character. Add on another 10 for numbers, then all the special characters — we’re getting up to nearly 100 possibilities for each character.

Brute-forcing every possible combination of password, from 1 character through to 7:

1 character took 0 seconds:

Image for post
Image for post
image by author

I’ll skip a little here, as it’s the same story up until 6 characters:

Image for post
Image for post
image by author

So, we got another one. Doing every possible password of 1–6 characters long has taken under 3 minutes. As we can see, the longer the password, the more time it takes to attempt every possible combination. The time taken will go up significantly here, to around 2–3 hours for 7 characters(which I know I don’t have in the list):

Image for post
Image for post
image by author

And up to 8 characters, which I do know is in the list I made:

Image for post
Image for post
image by author

I’m not going to leave it running that long, as it serves no purpose here. But I will make a point — I’m one guy, who doesn’t really want to crack passwords. I have a fairly moderate graphics card to aid with this as something in the background when trying to find my way into a system.

If I were evil, whether it be a criminal looking to gain access to the accounts of an individual, or a larger bad actor(think of large foreign government organizations here), then I’d have many cards available to me. 12 cards like mine would have cost me £1200 at the time of purchase, and around £1800 today, and I’d have comfortably broken every password we made in under a day.

Break into one bank account, steal £5000, and you have the money to buy 30 cards and the systems to run them. It makes your next target far quicker, with pure profit at the end of it.

As time goes on, computing power increases significantly. If my card today can break any eight character password of unknown complexity in under two weeks, we can expect a card of similar value in two years time to take approximately half the time. Sadly, we don’t increase our password complexity as quickly as the technology advances.

What should my password be? That’s a great question. I’m glad you asked. 😄

As we can see from this article, what appears to be a good, random, obscure password really isn’t all that great. It may seem impossible for the guy up your road to guess your password as being “1luvDog$”, but it’s not particularly complex when being attacked by modern technology.

Length is the answer. Length trumps everything really. Obscurity — forget oddball, random-looking passwords that people can’t guess — we need to find passwords that machines struggle to guess as well. I hopped on Use A Passphrase to find an example of what would be good — “mauve spongy constable cosmetics” was the first suggestion provided. Four totally random words. The next suggestions were “amount sash unseemly starting”, “prune reshuffle festivity polish”, “elevating durably available outpost” and “overpass playroom dimmed never”.

They’re all long, make no sense, and the password is not at all likely to be kept in a list of possibilities. You don’t have to use them, but use the overall idea when constructing something you deem to be safe in future — “BottleBirmingham1503Sierra” would be good. Spaces, no spaces, numbers, no numbers, capitals, no capitals — they may or may not help. But go with length and true randomness over anything else.

Buy a small book, keep them in it. You don’t need to remember the passwords, you just need to know where to find them. I’d advocate using a password manager (I personally do) but they can be clunky, and you can stand to lose the lot if you only have the one copy. Buy a small book and keep it somewhere safe. A smarter way would be two books, with passwords in one and other useful information in the other, with your own method of associating each entry. But that’s really only of concern if your home is invaded and the books stolen.

To summarize, you want good length, truly random, and zero re-use — and a method for keeping that information available to you.

And the end result, after typing all this:

Image for post
Image for post
image by author

There were 6,634,204,312,890,625 possible passwords when checking every combination of eight characters. For human readability, that’s 6.6 quadrillion possibilities (I think). My little graphics card has tried 12,238,352,547,840 of them in half an hour, which is 12 trillion.

If your password is on a wordlist — so already stolen, leaked, etc — it’s very, very fast to test it against future stolen details. Even if that list were 24 trillion passwords in total, which is an enormous number, my single graphics card would do it in just one hour.

Which passwords take longer to crack on my card?

For more content like this, follow Dark Roast Security

Want to write for us? Check out how to become a contributor below:

Dark Roast Security

Dark Roast — because the dark web isn’t as good

Rich Amies

Written by

Documenting some of what I’ve learnt whilst becoming a pentester! Mostly HTB and OffSec Proving Grounds. Extremely human, full of imposter syndrome.

Dark Roast Security

Dark Roast Security is here to inspire, educate, and share ideas about InfoSec. This publication is a platform designed to bring people together that are passionate about sharing their knowledge or want to learn something new about Cybersecurity. Follow to join our community!

Rich Amies

Written by

Documenting some of what I’ve learnt whilst becoming a pentester! Mostly HTB and OffSec Proving Grounds. Extremely human, full of imposter syndrome.

Dark Roast Security

Dark Roast Security is here to inspire, educate, and share ideas about InfoSec. This publication is a platform designed to bring people together that are passionate about sharing their knowledge or want to learn something new about Cybersecurity. Follow to join our community!

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store