by CJ Wiemer on July 11, 2019
Security teams like ours often encounter some common misconceptions when it comes to passwords. The worst is a sense of false humility.
Too many people do not believe it is worth the effort to create and remember a complex password for because they don’t believe that any malicious person will target them individually. “Why would they try and go after my account?” they ask. “There's no way they would target me personally.”
Let’s get one thing out of the way once and for all: It’s not about you. It’s about gaining access.
If they happen to come across your username in their effort to do so, why wouldn't they try some guesses at your password? Why not check to see if you’ve changed it from the default or made it one of the most commonly used passwords?
Simply put, an attacker won’t need to target you personally. In many cases, they’ve pulled all of the passwords they can from whichever database they’ve managed to access. You’ve seen many such leaks in the news. Alternatively, they may be sitting on your network, collecting random password hashes from the network traffic. With those in hand, they just need to crack the passwords themselves.
This is where having a more complex password helps thwart a bad actor’s efforts.
Understanding Password Hashing
In most cases, an attacker has gotten their hands on your password hash and not your password in plain, readable text. So what does that mean, and how can you take advantage of hashing to protect your data?
The password hash is the result of taking your password and putting it through one of many available mathematical algorithms known as hashing algorithms. The result of that process is a seemingly random string of characters—what we refer to as the hash.
The purpose of hashing is to provide a secure way to store passwords. We don't want to store passwords in plain text because, if we did, anyone with access to the database could read everyone’s password. Given a hash, however, one cannot tell what the original password is. It is (theoretically, depending on which algorithm is chosen) impossible to take a password hash and reverse it to unveil the original password.
How about an example?
Say my password is “test1234”—even though I would never use that because it is very weak, obviously. When I put my password through a hashing algorithm (MD5 to be exact), the resulting hash is “16d7a4fca7442dda3ad93c9a726597e4.” That hash is what gets stored in the database.
Now, if I gave “16d7a4fca7442dda3ad93c9a726597e4” to someone, they would have no idea that my password is “test1234” because it is impossible to reverse it back through the algorithm.
Look what happens if I just change one character in my password, to “Test1234”: the resulting hash is “2c9341ca4cf3d87b9e4eb905d6a3ec45.” These are two completely different, seemingly random strings of characters, even though the original passwords are so similar. This is good.
Then how do the bad guys crack passwords so easily, and what does complexity have to do with it?
The thing about password hashes is that, for the same passwords run through the same algorithm, the hash never changes. Every time I take “test1234” and put it through the MD5 algorithm, it is going to result in “16d7a4fca7442dda3ad93c9a726597e4.” How do bad guys know that that hash, “16d7a4fca7442dda3ad93c9a726597e4,” indicates a password of “test1234”? Enter the password crackers.
Understanding Password Crackers
A password cracker comes up with its own passwords, puts them through the hashing algorithm, and then compares the resulting hashes with the captured users’ hashes. Typically, the cracker is using words found in the dictionary as the base for a password. This is why passwords that use common words (like “spring19” or “test1234”) are cracked fairly easily.
The password cracker is also running through different combinations of characters based on the rule set the hacker gives it. The rule set is how the password cracker manipulates the characters to create a password.
For example, the cracker will try changing an “a” to a “@,” an “e” to a “3,” make all of the letters capitalized, add numbers to the end of it, and so on. These are common linguistic “tricks” among users, so hackers know to give them a try.
Going back to “test1234,” the password cracker rapidly creates its own passwords and gets to “Test1234,” but it sees that the resulting hash—"2c9341ca4cf3d87b9e4eb905d6a3ec45”—is not the same as “16d7a4fca7442dda3ad93c9a726597e.” It then tries “test1234,” hashes it, and sees that this is the same as the stolen hash. The password cracker informs the hacker that “test1234” resulted in a matching hash.
This is how passwords are discovered when hashes are obtained. The password cracker is very rapidly (billions of times a second, in most cases) creating its own password, putting it through the hashing algorithm, and seeing if the resulting hash matches the user’s. The hacker isn’t doing the work; a computer program is.
The Value of Longer Passwords
That’s how passwords are cracked, but if it’s all random and computerized, why does creating a more complex password matter?
To answer that, here’s a comic highlighting the statistics behind the question (it’s embedded below).
As you can see, length is your friend when it comes to stronger passwords. The longer the password, the longer it will take to crack. When a password cracker has more characters to fill to guess the correct password, it’s exponentially less likely to get it right.
In other words, you don’t need a complex password with lots of fancy special characters if you have a long password.
Many organizations (Relativity included) are moving away from requiring complex passwords and toward passphrases instead, setting a minimum of 20 characters. This encourages the user to come up with an entire sentence or phrase instead of a word with some special characters or numbers thrown in. Again, length increases the entropy, which increases the unknown, and is therefore harder to guess.
For those stubborn users who want to keep their one-word password, here’s some advice: Put numbers and special characters at the beginning, middle, and end of your password. This will help increase the length and therefore increase its complexity and the difficulty involved in cracking it. Another option is to type out those numbers and special characters.
Let’s say your password is “Spring19!” We can add complexity by changing it to “Springnineteenexclamationpoint.” We have just taken a password that would most likely be cracked in a matter of minutes (if not sooner), and increased it to a 30-character password, greatly increasing its entropy. You can even add spaces between each word if it will let you. Or, better yet, add another character in between each word: “Spring&nineteen&exclamation&point.” Now that is a solid password—and easy enough to remember.
Good password practices are essential for keeping your data safe, because in today’s landscape, it can be easier for bad actors to access hashes than you might like to think. In some environments, someone with the right access to your network—authorized or otherwise—may be able to access password hashes within the first 10 minutes of coming online. Add in the time it takes to crack the weak passwords we’ve discussed here, and that means it could take less than 15 minutes before they have valid credentials to start logging in.
It’s on you to help prevent people who’d take advantage of that vulnerability from gaining access to all of your organization’s data goodies.
CJ Wiemer is a team lead in vulnerability management on Relativity’s security team, Calder7. He has spent years hacking into companies and telling them what to fix, though he has no idea why he is so passionate about password strength.