Inspired by ArsTechnica I decided to spend a good part of my Saturday seeing how easy it would be to crack some passwords. As stated in the article it has become ridiculously easy to do. Following the article somewhat I started off by getting myself a copy of HashCat and its GUI (I know, I know, I should use the cmd line but I’d rather not spend the entire day memorizing commands).
Next up is a list of password hashes I wanted to have something to crack. MD5Decrypter has a list available for downloading but I just did a Google search, hopped onto a forum and grabbed a file someone had requested help cracking with. Now I had my list and I was ready to get crackin’! But wait, there was still one more thing I needed which was a wordlist/dictionary to compare all these precious hashes with. Easy enough, just get the RockYou password file which can be found pretty quickly nowadays.
The moment of truth! I opened up Hashcat, pointed it to the uncracked hash file, added the RockYou password list to the Wordlists made sure Mode was set to Straight and hit the “Power of the Atom” button. In less than a minute it managed to decrypt 1036 of the 31275 files, which isn’t that much but considering it took so little time one starts to wonder how long it takes to crack your own passwords.
Next up I added the best64.rule which came with Hashcat and let it run again. After some time it came up with the following result.
Next I tried a Combination attack but that seemed to take an awful lot of time so I stopped that continuing with a brute-force attack using a mix of alpha numeric characters. The estimation said 45 minutes, take note that this takes this long because it’s running on my laptop (i7 with 8 threads @ 1.66GHz), using a more powerful computer or using a distributed network this can probably be done in a few minutes at most. But what would you expect if you need to check 56,800,235,584 words!
After 25 minutes I stopped the operation as it was obvious this was not a good way to get passwords quickly. Only 370 or 0.1% had been found using this technique.
Following these it was time to try my own passwords, I ran them through the SHA1 hashing algorithm and started an attack. I was really curious if they were going to fall or not… success! Not a single one got cracked, I guess I can feel a tiny bit safer on the web now, then again a lot depends on how these passwords are stored on the plethora of websites (plaintext *horror*, hashed with MD5, hashed with SHA1, with or without salts, …).
And ending this cracking fun I exported a column of hashed md5 passwords from a database I own and ran an attack using the best64 rule. After a merely ten minutes 15% of all passwords were cracked. Looking at them it seems a lot people couldn’t care less about the strength of their password. Lastly because I really wanted to know how many passwords would fall when taking the time like a dedicated cracker I applied the d3ad0ne rule and ran the attack again. This would take a handful of hours so I left it running in the background, and went on with my day. After a good fifteen hours it managed to get a little less than 2000 passwords, which is an amazingly scary large amount.
To conclude, as stated on various websites the concept of passwords is outdated. With current technologies and computing power any person who wants to cause havoc or be evil can do so in less than one day. I didn’t know anything about hacking or cracking passwords but seeing how simple it is using Hashcat makes me think of strengthening my passwords nonetheless especially since a person with no prior knowledge can discover someone’s password with a little bit of patience. One might argue that the two-way authentication should be the norm nowadays. Luckily Google already gave people the option to use it.