Cyber Security Threat Summary:
Phishing is often stated as the most successful initial access method for both cybercriminals and more sophisticated nation state actors. Gaining access to valid accounts is one of the easiest and most powerful tools for a threat actors. Why spend the resources breaching powerful security tools, when you can simply trick an employee into clicking a bad link, or by cracking their password?

This article provides and overview of password cracking, discusses the importance of strong passwords, and details the top 5 password cracking techniques hackers use. “Password cracking typically involves brute-forcing a password using various methods. To understand password cracking, you must first understand how passwords are stored. There are two primary ways to store passwords: encryption and hashing” (Bleeping Computer, 2023). Encryption takes readable plaintext and converts it into ciphertext that is unreadable without deciphering. Hashing is often used for storing passwords to online services. Since service operators don't need to reverse passwords, only to verify they are correct, passwords are hashed. Hash algorithms convert plaintext values into ciphertext in a one-way process. “Before attempting to crack a password, an attacker must retrieve the ciphertext value, often through man-in-the-middle attacks, hacked credential databases, or phishing attempts. Ultimately, the attacker can begin their work once the ciphertext value has been obtained, typically as a hash value” (Bleeping Computer, 2023).

Security Officer Comments:
Once an attacker has stolen a hashed password, they will use various methods to crack it. Brute-forcing is often used, but this process can be inefficient and unreliable. Threat actors will use tooling to attempt every possible combination of letters, numbers, and symbols. Usually they will start with common phrases (Dictionary Attack) often found in passwords, which can speed the process up. If the password is completely random, this process can take much longer, or not work. Brute forcing is the least efficient technique, but can eventually crack a password given enough time. An attacker may use a computer or a cluster of computers to attempt every possible variation. The longer the password, the more difficult and time-consuming the cracking process becomes.

Attackers will also use Rainbow Tables. “Since hashing algorithms are publicly known, it is possible to create massive lists of pre-computed password hashes that a stolen hash can be compared against. Instead of generating a new hash for every variation.” (Bleeping Computer, 2023). These are many different hash methods, and an infinite amount of password variations, so managing and storing rainbow tables can be difficult. If password salting was used by the service, this can make the rainbow table unreliable by adding a random value to the front and end of a hash only known to the server.

Threat actors have also turned to a more advanced form of a dictionary attack called the Markov chain attack. This involves a statistical analysis of a list of words stored in a table and is used to calculate the probability of character placement in a brute-force attack.

Credential Stuffing is a big concern if a victim uses similar passwords, or variations of the same password across services. If one password is stolen from a service, the attacker can quickly try that same password or variations on other services to which the user may have access. In the case of personal accounts, threat actors can look through your email to see what services you have subscribed to, and try the same password or variations against more sensitive banking or corporate accounts. Of course, using your personal account access, threat actors could also reset passwords for those connected services.

As computing power and artificial intelligence continues to evolve, some password hashing schemes are becoming obsolete. MD5 and SHA-1 formats can be cracked quickly be these evolving technologies. CISA even released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024.

There are dozens of open-source password crackers available via online via community-developed channels. These tools are constantly evolving and creating more challenges for network defenders. Three common tools are listed below: