SPOC-Web Icon, semantic Knowledge Management

How to... get Things done

Hacking of passwords and phrases

Hacker have of course long reacted to the use of passphrases. Their tools contain pre-calculated hashes for common phrasen and song titles.

How do hackers operate?

Hackers have a difficult job. Therefore they employ a set of techniques to increase their chancen. This begins with applied psychology and statistics and reaches to completely automated programs to systematically hack bank accounts or web servers.

  • Hackers use statistics to reduce the number of passwords they have to test. This ranges from character distributions in different languages to known password lists and their frequencies. The more a user corresponds to the models of a hacker, the fewer alternatives have to be tested.
  • They spy out the habits of users and administrators and purposefully attack personal weaknesses or gaps in processes
  • Even when the passwords are encrypted or hashed, they can be largely reconstructed by matching them with so-called Rainbow-tables of precompiled hashes.

There are many more toolkits for hacking, that automate much of the work. For each of the known or common vulnerabilities there is a program that automates it.


How should web sites protect passwords?

It is more worthwile for hackers to attack web sites with login-data instead of focusing on individual users.

When they succeed, they often can salvage files or databases with user data. This happens regularly. Only the most spectacular cases appear in the news, the uncounted daily hacks are not even mentioned (according to a study by Sophos in 2012 about 30000 Webseiten were hacked daily. And this interactive infographic visualizes the ever increasing trend). Web-Services of all kinds are affected, even large names like Yahoo, Facebook or EBay are no exception.

When you create an account with an online-service, pay attention to the following criteria:

  • Maximum number of failed login-attempts; This is the most important protection: Many web sites allow for arbitrary many attempts. This allows for "Brute Force" attacks by systematically trying out many passwords.
  • Choice of the username: Many web sites use the eMail-adress for login. This is problematic, because a single eMail-address is likely to be reused for a great number of web sites
    • Moreover the adresse is likely to appear in conversations and blog entries, so they can be picked up by robots and collected into lists
    • On the other hand, many people like to reuse the same user name anyway, so better put the effort into good passwords.
  • When the web site is hacked, there should be further means to protect the user-data:
    • Immediate notification of all potentially affected users about the security breach, so they can change their login-data. Unfortunately exactly this rarely happens, so that compromised passwords stay in use and can be exploited to hack more sites. Many breaches are reported only years later.
    • Hashing of Passwords. Unbelievably many amateur-web sites still store their passwords as clear text. Even an encrypted file is not sufficient for long-term storage. When the files are salvaged, a Hacker has all the time in the world to degrypt them and using a well-known frequency distribution of passwords it is feasible to decrypt ALL passwords!
    • Salt & Pepper: Hashing the passwords protects at least rare passwords, because you cannot reconstruct a password from its hash. But simple hashing is not sufficient, because here also statistics allow to infer the most frequent ones. And so you can deduce the seed of the hash which allows hackers to build custom rainbow tables. Instead each password should be combined with an individuall random number, the so-called "salt", as well as a unique so-called 'pepper', another random number, to completely avoid statistical inference on the passwords.

Personal handling of passwords

One of the most severe mistakes on the user side of a web service is to re-use the same password on different web sites. When one of these is cracked, the Hacker can assume the users identity on ALL other sites and goes unnoticed. The necessary conclusion is to use password-manager softwar, since it is impossible to handle large numbers of cryptographically secure passwords.

Categories of passwords

At first glance, any unknown password may seem secure, but when dealing professionally with these topics (and hackers do), there appear (among others) the following, psychologically motivated Categories of passworten (with increasing entropy/security):

  • Frequent passwords: As this Report shows, already "123456" or "password" will open up more than 1% of all accounts, unless the web-service explicitly disallows these. Another 1000 passwords break into about 13% accounts. When the user names are unknown, large lists of eMail-Adresses are cheaply available.
  • Simple Words: from 300 to 10.000 of the most frequent words are sufficient, to crack most accounts within minutes, provided the number of attempts is not limited or the hash is known.
  • Words with numbers or special characters: with brief passwords, these increase the time needed only by one magnitude. With long passphrases though this is quite efficient.
  • Manually chosen combinations of letters and numbers: These are not random enough. Humans don't choose random values. Even when they try, they will actively avoid familiar looking patterns and thus actually decrease entropy! Try this for yourself: have someone write down a long random sequence of heads and tails as if flipping a coin and you will see fewer patterns HHH or TTTT than they would actually appear in purely random tosses (1/8th and 1/16th respectively). 
  • Passworte generiert aus kryptographischen Zufallszahlen: Only these are sufficiently random to be used safely. But even those generators built into most programming languages are mostly not sufficient, since their numbers are usually too small and the digits of these numbers are not completely independent of each other. Also multiple subsequently generated numbers are often more tightly coupled, so their randomness is reduced.

The hacker ecosystem

According to the different types of passwords mentioned above, hacker emply very diverse programs and techniques to crack web sites. Scripts and even cracking suites are maintained to e.g. create viruses or automate much of the cracking process, while the hacker sits back and only coordinates it. Once decrypted, usernames and passwords are often not immediately exploited but e.g. sold to agencies or other hackers. Only when an opportunity appears, they may be used, while the actual client is unaware of this threat.

This approach is similar to the hoarding of backdoors by CIA and other secret services. Many known bugs and vulnerabilities in applications and operating systems were NOT reported to the software producers to be fixed. Instead they are stashed for possible future application. Unfortunately these troves can also be stolen by hackers and sold to the highest bidder. A large CIA package was fortunately given to WikiLeaks, where it is still being evaluated due to its volume.