In a previous blog, we covered the difference between an online and offline password attack. This blog will continue from there. Once a hacker is able to get your password hash offline for a password attack, let’s explore how a hacker guesses your password. As a point of clarification, this blog is written from the perspective of a penetration tester who emulates attackers hacking companies. Therefore, while I have never verified with a hacker that they follow the same steps, I can confirm that for an average organization, I can successfully recover over 60% of the passwords on their domain.
So with that said, let’s go through the various ways a hacker guesses your password. As we work through this list, think of your current password and how long it will make it.
The first and sometimes only step needed when a hacker guesses your password is wordlists. These are really long text files with precomputed password guesses. Because no computation is needed beyond comparing the password in the file to the password hash, this is a really quick process. We can run through a password list that has over 1 million words in less than 5 minutes. Some of these dictionary files we use are:
- Every dictionary word
- All the common keyboard patterns you can imagine (QWERTY, !QAZ2wsx, etc.)
- Common sports wordlists (Panthers1, Touchdown, Etc.)
- Every password contained in known breaches. A lot of time when hackers gain access to a major corporation (Yahoo, LinkedIn, etc.) they like to brag and produce a list of all the passwords.
- Customized wordlists based on your company. There are tools that let us scrape your website and make a wordlist of every word on it to use in a password attack. Combine that with a little bit of the human element to add things like nicknames for your company, and we can cover a lot of common variations.
The next way a hacker guesses your password is using those same dictionary files, but now with rules. The rules can do a number of different things such as:
- Add 123 to the end
- Change a to @, s to $, L to 1, etc.
- Add the date at the end
- All uppercase
- All Lowercase
With rules, if your password is anything like Sally123, or Comp@ny1!, you can be sure we will find it. Rules require more computation than wordlists, but because we are only attempting a few million guesses, this portion of the password cracking will still be quick. Depending on the size of the wordlist and number of rules, this can vary, but in general you are looking at around 30 minutes to an hour to complete this portion.
The combinator attack takes two wordlists and combines them. For example if list one has Cat, and list 2 has Dog, the combinator will try CatDog and DogCat. This will also be combined with some simple rules above to make CatDog123 catdog2018!, etc. Although it is possible, it is rare for a combinator attack to combine more than 3 lists. Once you get to three, it gets pretty computationally expensive. This is one reason we recommend the use of passphrases (see more here). A typical combinator attack will take a few hours, depending on the size and number of wordlists being combined.
Another way a hacker guesses your password is through a mask attack. A mask attack is a form of brute-force attack, but the difference is, I am limiting the key space I have to go through. Let’s say I uncover a number of passwords, and they all look like:
Summer123! Boston585! Hockey333!
These passwords all follow a similar pattern. They all have a capital letter + 5 lowercase + 3 numbers + symbol. In a Mask attack, I will brute force every combination within these parameters. The time on this type of attack will vary wildly depending on how much I am able to limit the key space (number of combinations possible). The type of attack described above would most likely take a couple of days to complete. One thing an attacker can do is combine a mask attack with a dictionary attack. So in this case it would be dictionary word + three numbers + symbol (much faster).
The last, and least used, way a hacker guesses your password is through a true brute force. Although this is the most widely-known type of attack, it is almost never used because it takes forever. In a brute force attack, every possible combination of uppercase, lowercase, number, and symbol is attempted. For an 8 character password, this will take just under 3 days. Yes, you read that right, if your password is only 8 characters long, it is time to change it. However, for anything 9 characters, we are talking months, and it goes up exponentially from there.
So How Do I Choose A Strong Password?
Now that you know how a hacker guesses your password, you are probably wondering how to choose a strong password. Here is the advice I use when choosing my passwords. Spoiler alert, this isn’t really my password! I simply take a few sentences that are meaningful to me, and use the first letter of each including punctuation. For example:
I have a yellow lab named Spot. We got him in Texas in 2013.
Those two sentences are not hard for me to remember, but that is absolutely impossible for a hacker to guess unless I write it down somewhere. Reach out if you’d like to discuss or learn more.