PASSWORD CRACKING
how passwords are really cracked. passwords are not saved as plain texts any website of this age on the internet uses a hashing algorithm to encrypt and manage passwords there are many types of hashing algorithms like the sha-1 md5 etc as an example for this video let's consider Facebook in order to log into your Facebook account you enter your email and password and click on log in the first time you create a Facebook account you are asked to fill in a form like this which contains your name your email address and it asks you to choose a password your birth date and your gender once you click on sign up this data is sent to the Facebook's back-end database in the Facebook's database your name your gender your age and your email or phone is saved as it is but what about the password as I told you a password will never be saved as a plain text in a website's database so this password is given as input to a hashing algorithm and the output given by this hashing algorithm is the encrypted form of the password which appears to be random but is not this hashed password is saved in the Facebook's database but not the plain text which means the password which you entered will never be saved on Facebook's database as a plain text instead only it's encrypted or in other words the hashed password is saved in the Facebook's database now suppose Facebook had a data breach and hackers managed to gain access to Facebook's user info which included their name age gender email and password though hackers have this information they will not be able to log in to any specific user account because the password is encrypted if the hacker tries to log in to any specific user account with the hashed password he will not be provided access he only needs to enter the password which is in the plaintext form so what do the hacker do know intuitively the only possible way is to reverse the hash into its plaintext form but this is highly impossible because a hash is a one-way function and the plaintext form of a hash cannot be obtained from the hash itself that is how hashing algorithms are designed so what now this is when the strength of the password comes into the play if you are using a common password like test one two three four five six which I used earlier to sign up for Facebook then the hacker will easily able to know the plaintext form of your password from the hash string there is something known as rainbow tables these rainbow tables contain the password hashes of numerous commonly used passwords along with their plaintext forms so the hacker will be able to do a simple search with the password hash that he has and if the password hash exists in the rainbow table that means that the password is successfully cracked and we now have the password in a plaintext form remember the rainbow tables contain the password hashes of only the passwords which are commonly used as a reference you can try it yourself at crack station dotnet but what if the password is not a commonly used password in that case rainbow tables are of no use so there comes dictionary attack and brute-force attack both are quite similar in picks area attack you have a word list a word list is nothing but a huge text file with loads of passwords in this attack the hacker writes a code which compares the password has to be correct with the password hash of each and every password that exists in the world list file if any hashes match then it means that the cracking is successful and we now have the plain text of the hashed password now this attack can be target specific as well which means you can actually create your own word list targeting a specific individual provided that you know some basic details about him and assuming that he used his basic details to frame his password this attack can be a success or a failure based on the quality of the word list that you are using in a brute-force attack each and every combination of letters symbols and numbers are converted into their hash forms and are then compared with the password hash which is to be cracked in other words you are literally taking every possible password that can exist convert it into its hash and check if the hashes match so yes it literally takes forever to crack a strong password using this method however the computer's processing speed is fast enough then yep simple passwords can be cracked easily by this method a new technique called salting is introduced by security analysts to care hackers a hard time in cracking passwords in this technique a specific combination of characters are inserted at specific positions of the plaintext password before hashing every company has its own salting algorithm and they don't make their salting algorithm public for example let's say Facebook salting algorithm inserts a string F ampersand to P at the beginning after the third character and at the end of the plaintext password after salting the password the salted password is then hashed by a hashing algorithm so when a salt is used rainbow tables are of no use even if the password to be cracked is a weak and commonly used password because the hash of the password without salting do not match the hash of the password which is salted also brute-force attack and dictionary attack are not effective to crack salted passwords unless the hacker already knows the salting algorithm employed by a company
Post a Comment