The Dirt On Password Cracking

October 12, 2016 | Views: 3435

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


Where to start?  I read an open topic where the author stated that by making their password longer they made it un-crackable. (In our lifetimes) Now in a perfect world, this is true. However, Cryptography is not perfect. I’ll give you a brief rundown on how this works most the time.

Server (or Program) asks for a password. You give your password. Application on server turns your password into a confusing amalgam of numbers and letters. ie. (85E6990264C86E55C412B7BFE2CFEA91)(MD5) Now, it saves this file. This is called a hash.

You go to facebook, put in your user/pass. Facebook, will hash your password and, using that hash file, the Server will check to see if your password’s hash matches the hash it has on file. If the hashes match, it grants you access. Now, if someone steals this file, they can run a brute force program that will hash an outrageous amount of passwords trying to find yours. (Which is why “password” and simple words like “egg” are bad) But now there are Collision attacks. (We’ll get there in a second) There are also other more complicated and more effective ways to crack your password, but we won’t get into those now.

Alright, so let’s assume that every single possible password produces a unique hash. Yay. Cryptography is perfect, no more need for security experts. Unfortunately, this is not possible. When two passwords create the same hash a collision occurs.  If my password is, “E*d&ve%odc(/ou@3hecDe8532.” I might assume it is un-crackable. I’d probably be right unless there was a simple word that produced the same hash. (Such as “egg”)

“But Cyber”, you say, “What are the chances of that?” to which I reply, It really depends on the hashing function your Server/Site/Application uses and whether or not any of the sites you have ever visited have ever had their password files dumped.(Stolen) Crackers (Black Hats) will often times upload their hash dumps (Your Username and Password Hash) to the internet and give them to whoever as a form of bragging. Then twenty other Crackers (More Bad guys) will download them and start trying to crack them with either a collision attack or brute forcing. Brute forcing usually comes first, because after 16 hours it will have 90% of the passwords (Because some people still use Password or shark 15 as their password.) Then they can sell this list of decrypted passwords/usernames to anyone willing to buy them.

The only reason this is effective and profitable is because people use the same password for different sites. So as a recap: Use different passwords for different sites (Safe). Use more complicated passwords (Safer). Finally, just because you have the most complicated password in history (Safest)… DO NOT assume you are protected for eternity(Not Safe).  A good security posture is to change your password(s) every three months.(Yes for every site) But if you don’t really care about how secure your Myspace Page is, leave it. The password on that site is now different from all the others, and you aren’t doomed to financial ruin(Or mockery on Facebook) in the event you get cracked. I also highly recommend you get a password manager, and or write these passwords down. (Please do NOT let your browser manage your password either.)


Hopefully, this is helpful and entertaining,


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. nice piece of article my friend.

  2. Try to add some numbers and special characters in your password

  3. that was good

  4. True, to some extend.

    Usually, it is not a hash of the password, but the hash of a SALTED password with a random and unique salt, that is stored. In this scenario, hash collision won’t be much of an issue. You would need the same salt on the cracked as well as the to be hacked system (might be an issue with default installations using a default static salt, though).

    Some hashing algorithms like bcrypt are specifically designed for hashing passwords, for instance, slowing down the hash generation. Therefore, they are a better choice than general hashing algorithms like SHA-2, SHA-1 or, god beware, MD5 which are more optimized for speed.

    The most important advice for passwords:
    1. Never use the same password on different sites. I strongly recommend using a password manager generating random passwords with a default setting of at least 30 characters and a mix of alphanumeric characters and symbols.
    2. Don’t use easy to guess passwords like words, patterns, dates. And NO, appending them with a !,?,# or some other special character won’t help much since the bad guys have identified this as a pattern, too.
    3. Enable two-factor authentication whenever possible

  5. Thanks friend, good article.

Page 1 of 212»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?