As mentioned above, using a large alphabet and increasing the length of the password provide a strong protection against password cracking. Another way to increase security is making the hash function slow in order to make real-time attacks harder. Regarding pre-computation-based attacks, it takes more time for the attacker to generate the table, since he uses hash function repeatedly. Furthermore, use of salts adds per-user diversification of the password hash algorithm. Salts provide the best protection against pre-computed tables, since the attacker has to compute the hash values bearing in mind all the salts. Finally, the use of password salt ensures that password hash values of two users, who selected the same passwords, do not look alike.
Password cracking tools
In this section we demonstrate examples of password cracking tools. Firstly, we try to crack MD5 hashes that are generated from several selected passwords with different lengths. We also repeat the same procedure for SHA-1 algorithm and we note the differences between the passwords and the two hash algorithms. MD5 passwords hashed were generated using , while SHA-1 password hashed were formed using .
John the Ripper
The first tool used was John the Ripper . It is an open-source program supported by Windows, UNIX, Linux and Mac OS. It was initially developed for the UNIX OS and its purpose was to detect weak passwords. Nowadays, it is able to crack password hashes, such as MD5, SHA-1, SHA-2, DES, Blowfish and Kerberos. As we will see below, it is executed by using the following command pattern: john – format = raw-hashAlgorithm filename.txt. The filename must contain the hashed password. We used John the Ripperto crack several passwords and we found some interesting results. Firstly, we tried the MD5 hashed of “cracked”
password, which is a common English word with 7 characters. Note that we use only lower case letters. Below in Figure 3 it is shown that it was easy to crack for both the hash algorithms.
Figure 3. John the Ripper results for “cracked” password (MD5 and SHA-1 algorithms) Lesson Learned: Do not use words that mean something in any language!
Then, we use the same exact keyspace, but the password “adgjsfh” we choose is not predictable. As we notice by the crack times, the fact that the password is not a common English word is crucial. We chose to stop the process in order to save time.
Figure 4. John the Ripper results for “adgjsfh” password (MD5 and SHA-1 algorithms)
Lesson Learned: The fact that two passwords have the same keyspace does not mean that can be both cracked into the same amount of time.
Moving on, we tried to increase the set of possible characters by adding numbers into the password making it alphanumeric. Selectively, we decreased the password length. The password we chose was “hack96”. As we can see in Figure 5 SHA-1 hash takes slightly more time. This is reasonable, since SHA-1 algorithm is stronger than MD5.
Figure 5. John the Ripper results for “hack96” password (MD5 and SHA-1 algorithms)
Lesson Learned: Even if we increase the keyspace, the fact that the password contains a common word might make it crackable. Also, hash algorithms play a vital role to protect against password cracking.
In the next example we pick a very small password with a common English word and a symbol appended to it. In Figure 6 we note that the password is relatively strong despite its length.
Figure 6. John the Ripper results for “dog_” and “dog9_” (MD5 algorithm)
Lesson Learned: Even a very small password can be relatively strong if we peak rare characters. The best combination is a big password with numbers and rare symbols, which is hashed by a strong hash function.
Table 1. John the Ripper results for several passwords (MD5 and SHA-1 Hash)
Password Length Keyspace Common Word MD5 Hash Crack Time SHA-1 Hash Crack Time
cracked 7 267 ~ 8billion YES < 1s < 1s
adgjsfh 7 267 ~ 8billion NO > 240s > 240s
hack96 6 366 ~ 2 billion YES ~ 2s ~ 3s
dog_ 4 584 ~ 11 million YES > 240s > 240s
dog9_ 5 685 ~ 1.5 billion YES > 240s > 240s
The other password cracking tool we used was fcrackzip. Particularly it provides a free way to crack passwords that are used to encrypt zip files. It can use either of the two different techniques that described above; dictionary and brute-force attack.
Firstly, we use zip in order to compress and encrypt a file typing the following command: zip –e zippedFile.
zip fileTozip. Then we choose the password “cracker” in order to encrypt it. Note that as in every UNIX application the password length is not displayed. We have used both dictionary and brute-force attack to crack the zipped file.
The first phase of dictionary attack refers to the creation an effective dictionary with common words or even combination of common passwords. We have used a fixed dictionary from John the Ripper to launch the attack. Figure 8 shows this kind of attack. Undoubtedly, the dictionary must contain the password to succeed.
Figure 8. fcrackzip dictionary attack
Since dictionary contains limited common words and passwords, it will fail or even trigger false positives in case that the chosen password is slightly more complex. As a result, an alternative solution is launching brute-force attack. Fcrackzip, also, contains specific options that could be helpful in case that the attacker
characters long and it starts from ‘c’. In this way we perform a brute-force attack to the zip file as illustrated in Figure 9.At this point we should note that even with so much information the time to crack the password was approximately 40 minutes.
Table 2. Information about the password and the respective option in fcrackzip
The password contains only small letters [a-z] a
The password contains only capital letters [A-Z] A
The password contains only numbers [0-9] 1
The password contains only special symbols [!:$%&/()=?+*~#] ! The password length is known (for example 7 characters) -l The first character is known (for example it is ‘c’ and length = 7) caaaaaa
Figure 9. fcrackzip selective brute-force attack
The tools described above are only some of the total password cracking tools out there. Each one of them has been implemented for a specific purpose. For example, Aircrack  is able to reveal WEP-WPA passwords once enough data have been captured. Hydra , also, provides online and remote password cracking techniques. Finally, L0phtcrack  attempts to crack Windows passwords from hashes that it obtains from various resources such as Active Directory.
 http://www.unix.org/ – UNIX Operating System
 Karen Scarfone and Murugiah Souppaya. Guide to Enterprise Password Management (Draft) – NIST Special Pub-lication 800-118. Technical report, National Institute of Standards and Technology, 2009.
 http://www.miraclesalad.com/webtools/md5.php – MD5 Hash Generator  http://www.sha1-online.com/ – SHA-1 Hash Generator
 http://www.openwall.com/john/ – John the Ripper password cracking tool
http://oldhome.schmorp.de/marc/fcrackzip.html – fcrackzip password cracking tool  http://www.aircrack-ng.org/ – Aircrack password cracking tool
 https://www.thc.org/thc-hydra/ – Hydra password cracking tool
 http://www.l0phtcrack.com/ – L0phtcrack password auditing and recovery tool
About the Author
Yannis Pistolas is expecting to acquirea Master of Science in Information Security from Royal Holloway University of London in November 2013. He has also received a Bachelor of Science in Computer Science in 2011 from University of Crete. He has deep interest in Penetration Testing, Network Security, as well as software developmentusing object-oriented languages.
About the Author
Marios Andreou obtained a BSc in Computer Science at University of Crete in 2011 and completed his MSc in Information Security from Royal Holloway in 2012 (The University of London’s Information Security Group). He is interested in the area of IT, Software development, Network and Software security, Cryptography and Security consulting.