Password Cracking
Overview
Password cracking is an attack in which the attacker retrieves
passwords hashes (produced by a cryptographic hash function) from the website and then
recovers the passwords from those hashes. This recovery is done by guessing
possible passwords, generating the corresponding hashes for them and comparing
them to the list of hashed passwords obtained. Where a match is found, a valid
password has (likely) been guessed.
What makes a
site vulnerable?
A site may be vulnerable to password cracking if it stores cryptographically
hashed passwords (good) in a vulnerable location (bad).
Impact of the
attack
The attack potentially gives an attacker access to user accounts.
This allows him to impersonate a user, access the user’s data and close the
account or change its password to one unknown to the user.
Preventing the
attack
Password cracking is a form of
password guessing and can be hindered
using similar techniques (password length and complexity requirements), as long
as the hash function is secure. Unlike password guessing via login mechanisms,
it will not be possible to limit the number of attempts the attacker makes once
he is in possession of the hashes. Salting password hashed (by including a
known random component) will prevent the attacker from being able to use
dictionaries of pre-computed hashes to look up hashes in less time, and will
force him to attack each individual hash separately. Another valid strategy is,
of course, to protect the hashed passwords more vigorously. A defence-in-depth
strategy should both protect the hashed passwords and use salting and a strong
password policy to ensure the greatest level of protection.