We have established now passwords are stored in Part 3 and the most common ways of extracting hashed passwords in Part 4. In Part 5 we will examine how to crack a hashed password.
After the previous post you likely have a short list of random characters that you want to translate into the password the user actually typed into the computer. In other words, crack the password. How the heck do you do it? Is it even possible given the impressiveness of the hash algorithms? Yes it is and there are a number of tools that will even do it for you!
Determining the hash algorithm
The first step is to figure out what algorithm was used to convert the typed in password to gobbledygook. In theory, this should be incredibly difficult. There are literally endless ways that it could be done. In practice though it is quite easy – just about everyone uses the same couple algorithms!
Most websites are going to do what everyone else does – if the hash algorithm works well enough for others, it must be pretty good. In fact, hardly any small website owner is going to put any thought into this – they are just going to use pre-built solutions. Most pre-built solutions and programming languages have the same hash algorithms built in. MD5 by far the most common and SHA-1 is gaining in popularity.
Not to oversimplify things, odds are if your hash is 32 characters long, you’re looking at DM5. 40 characters long, SHA1.
Let’s crack 94804c0a8c1771947cfba8ec3e0a4c30
The first step is determining the hash algorithm used. It is 32 characters long and came from a not technically advanced site so we are going to assume it is DM5. But in case it is not, there is also an open source tool on GitHub we can use to figure out all the possible hash algorithms that could have been used. Simply type in the URL “http://hash.heroku.com/hash/” + the hashed password you want to crack and it will report back all the possible algorithms. Here it is for our example.
Check to see if it is a low hanging fruit
For the most popular hash algorithms there are plenty of online tools where you can enter a hashed password and it will crack it. If the password is “weak” that is … this method probably won’t work if there are numbers or special characters in the password. Luckily most passwords are all lowercase. Here is an excellent online tool. Entering our hashed password into the search box provides the following result:
Well that was easy: the password was carebear. But how does the tool work? And what do I do if the tool doesn’t know the password?
Rainbow Tables
One way to crack passwords is to generate every possible password and store the corresponding hash value. So we would enter “carebear” = “94804c0a8c1771947cfba8ec3e0a4c30” in our database. Once we have all the passwords calculated, it is as simple as doing a reverse look-up to crack the password. But is this feasible? With 26 letters in the alphabet and passwords less than 10 characters, this would be 268 possible passwords. MD5 hashes are 32 characters long or 32 bytes (made up of 256 1’s and 0’s). 268 passwords x 32 bytes is 6 terabytes of data.
That is certainly a lot of hard drive space, but not out of the realm of possibility. If your rainbow tables take advantage of the fact that you don’t have to store repetitive information, you can greatly reduce the amount of storage space required. You can download the complete set of lowercase passwords with numbers of a length up to 8 for less than 40 GB of space. Here are a bunch of MD5 rainbow tables that you can download.
Brute Force
The other approach is to compute the hashed password values on the fly without storing them. This approach is obviously likely to take longer, but is quickly becoming the preferred approach.
Amazon’s EC2 cloud services provide cheap processing power to the masses (and the best part is that you only have to pay for what you use). This comes out to cents per minute. Considering that you can calculate hundreds of thousands of password hashes a second, it shouldn’t take too long or too much money to crack a password. Here is a story of a white hat hacker than payed Amazon $1.68 to hack his neighbor’s WiFi password.
Concluding Thoughts
I hope I have shown that it is fairly easy to crack a password. The next post I’ll cover some things that you should be doing to protect your passwords and your websites.
- MD5 and SHA-1 wiki pages
- Here is why it is not possible to have a rainbow table that can cover every possible password
- Here is a question about figuring out the hash algorithm
- Here is a guy that says it is possible to do 500 billion candidate passwords a second on Amazon EC2. Wow that is fast!
- Does anyone know the percent of websites that use MD5? I couldn’t find any numbers out there but would imagine it is way north of 50%.
Photo: Mattias