To understand what a strong password is and what to look for when choosing a good password, it’s best to first explain how passwords are cracked. First, you need to know what salted passwords are:
What Are Salted Passwords?
As a rule, website operators do not store the passwords of their users on the servers in plain text. Instead, the passwords are converted into long strings using cryptographic methods such as bcrypt, PBKDF2 or script, and then stored on the server. From password generator, for example, the hash key becomes 8c89480a4bb5915e4d19d1142e3c65b2. Visit authentico.net to know more of it.
In other words, in the databases of the website operators, the passwords of the users are not in plain text; instead, there are cryptic hash values of the actual passwords. One speaks also of salted passwords. Password Crackers try to crack the password hashes with special programs to get the original plaintext passwords.
How Do Crackers Actually Get To The Passwords?
For criminals to crack passwords, they must first attack an Internet service and steal its encrypted passwords. The attacker gets access to the encrypted passwords, for example, through a server attack in which he exploits security vulnerabilities and makes SQL injections.
Other criminals simply wait until new password lists appear on the Internet. Once the attacker is in possession of the encrypted passwords, he goes to the decryption. If he succeeds in cracking the encrypted passwords, he gains access to the corresponding user accounts with the plaintext passwords.
Since many people use passwords multiple times, the attackers try to log in with the decrypted access data to other services such as e-mail providers, online banks, or web space providers.
The Tools and Tactics of Crackers
To decrypt passwords, attackers use password cracking programs such as John the Ripper, Hashcat, or oclHashcat.
These tools do nothing but guess at passwords. Of course, crackers’ tools do not just try out all of the letter combinations from aaaaaaaa to zzzzzzzz in alphabetical order. Instead, they get potential passwords from password lists and dictionaries.
Then the program encrypts the imported words and creates a so-called candidate. The dictionary-derived and now salted string is compared to the encrypted password from the stolen database. If the strings are the same, then the password or a hash collision was found.
This cracking process runs automatically: the programs of the crackers test one string after the next and very fast. There are programs that can test millions of passwords per second. It is not uncommon that the cracking tools run on multiple machines and over days or months trying to crack passwords. Often, these arithmetic operations are also performed by tethered zombie computers from botnets.
The Attack Techniques of Crackers
Cracker programs can import dictionaries and word lists. First, the tools are fed with ordinary dictionaries like the Duden, preferably in all possible languages. These dictionaries can contain up to 100 million words.
The dictionaries also contain passwords that have already been cracked in the past. And also lyrics, Bible verses, and quotes.
Then it starts: In a so-called dictionary attack, each individual entry of the dictionary is tested individually and unchanged with the hash of the password to be cracked.
For this, the word from the dictionary is encrypted, and the hash value is compared with the encrypted password. If the strings are the same, the encrypted password (or a hash collision) was found.