For a number of years I’ve been interested in the security provided by passwords, and the methods being developed to attack password-protected accounts. So I thought I’d see how successfully everyday developers, without specialist knowledge, could hack millions of passwords.
**Ethical Hacking: The real-world passwords used in this experiment were hacked and leaked online by an individual who is not myself. These passwords are now freely available online. Carrying out virtual attacks on leaked passwords like this enables us to educate individuals on the protection provided by their passwords, and can therefore help protect them from real attacks. Before carrying out my work I stripped all personally identifying information from the leaked file.**
People use passwords to protect virtually everything online: from emails to bank accounts, to crypto exchange accounts. While many sites now offer use of two factor authentication (‘2FA’), this often isn’t publicized or enforced, and a huge number of sites still don’t offer 2FA at all. The security passwords provide is therefore critical for protecting the population’s identity and money.
Naturally, the value stored behind passwords has motivated many attacks to be developed against them. There’s a huge number of research papers you can read about complex password cracking algorithms, which use intricate probability and machine learning techniques, and can crack over 90% of passwords.
While it’s scary how good these algorithms are, they don’t feel like a very realistic threat against the general population — how many people really know how to carry these attacks out? Why would they target me?! I decided therefore to take a look at a far more realistic attack: an attacker that knows how to create an AWS instance (or other cloud instance), and can run some open-source software on it.
If you already know about hashing of passwords please skip ‘Brief Background: Storing Passwords’. If you know about offline attacks against hashes please skip ‘Brief Background II: Attacking Hashes’.
Brief Background: Storing Passwords
When logging into a password-protected application, the sequence of events that appears to occur is the following:
- User enters a password (which is transmitted for approval)
- Entered password is compared to the password on record
- Access granted if these match
However transmitting and storing passwords like this is incredibly insecure. For increased security, many systems (though sadly not all) actually store the ‘hash’ of users’ passwords in their database, and not the passwords themselves. You can think of the hash as an irreversible jumbling of the password; if an attacker discovers a password’s hash they cannot reverse the process to discover the password itself.
When a user enters their password in a system like this, the actual sequence of events is the following:
- User enters password
- Hash (password) is calculated locally and the hash is transmitted
- The hash is compared to the hash on record
- Access granted if these match
Brief Background II: Brute-forcing Hashes
In a system that uses hashing, if an attacker manages to get their hands on the password database, they still cannot see a user’s password. Attacks against such systems cannot reverse a hash to find the corresponding password, and therefore go as follows:
- Guess a password
- Calculate the hash of this guess
- Compare this to the real hash
- Repeat steps 1–3 until a match is found
This sounds pretty time consuming, however with a machine that can guess thousands of passwords in parallel, you can imagine things start to speed up.
The software I used is called Hashcat, which is an advanced password recovery tool, and is known as the “world’s fastest password cracker”. Hashcat is open-source, has sources and binaries downloadable from their website, and has an extensive wiki guide to the tool. It’s safe to say you don’t have to be a specialist to use it.
I ran Hashcat on a Nvidia Tesla K80 — a GPU with 4992 cores that you can rent on AWS for $0.90 per hour (P2.xlarge). I started off by looking at the hashing capabilities of the K80, just to see how it fairs in comparison to a standard built-in laptop GPU.
The K80 came out 16 times faster than an average Intel graphics card. The K80 can calculate ~800 million SHA-256 hashes per second… that’s nearly 3 trillion per hour.
As stated at the top, the passwords I ran my attack on were leaked by an attacker online. There were over 14 million passwords leaked in the attack, all of which was created by real-world users. I won’t provide a link to the passwords — there’s no need to share them unnecessarily — however I found them easily with a quick google search.
The logic of my attack
While Hashcat allows you to perform simple brute-force attacks (where you try every possible password of a specified length), they also have commands for slightly more complex attacks. It’s well known that most people base their password on a word, in various forms:
- Just a word (potentially with different capitalizations) — Password
- A word followed by some numbers/symbols — monkey! or Coffee12
- A word with ‘leet speak’ applied — p4ssw0rd or f4c3b00k
- Multiple words stuck together — isthissecure
And what a coincidence… if you can provide a list of words in a file, Hashcat has different modes built in, that can guess:
- Every word
- Every word with each possible number/symbol appended
- Every word with specified rule(s) applied (i.e. ‘replace every o with a 0’)
- Every combination of words stuck together
So I downloaded a dictionary file containing millions of English words to use in my attack.
From there you can then get a bit more generic, specifying ‘masks’ that Hashcat should try. This means instead of telling Hashcat to try ‘all passwords of length 8’ — which is 7 quadrillion different combinations — you can try every password that is ‘6 lowercase letters followed by 2 numbers’.
So how well did the attack do?
To be honest… it was far, far more successful than I had possibly imagined. Actually scarily successful…
- 2 hours: 48% of the passwords were cracked
- 8 hours: nearly 70% were cracked
- 20 hours: over 80% had been cracked
Call to action
Let me summarize.
20 hours. $0.90 per hour. That’s just $18. 80% of 14 million passwords cracked.
Let that sink in.
That’s scary. Really scary. People need to make their passwords more secure. Replacing ‘o’ with ‘0’ and ‘e’ with ‘3’ does not make your password secure. Adding numbers and symbols to the end of a word doesn’t either. It’s too predictable.
I’m not a security professional — I can’t give you rules that you can follow to make passwords unhackable. It was people following predictable rules that made these passwords so crackable. Be unpredictable. Or better yet, use a password manager like LastPass or 1Password to be unpredictable for you.