Skip to content
geeksforgeeks
  • Tutorials
    • Python
    • Java
    • Data Structures & Algorithms
    • ML & Data Science
    • Interview Corner
    • Programming Languages
    • Web Development
    • CS Subjects
    • DevOps And Linux
    • School Learning
    • Practice Coding Problems
  • Courses
    • DSA to Development
    • Get IBM Certification
    • Newly Launched!
      • Master Django Framework
      • Become AWS Certified
    • For Working Professionals
      • Interview 101: DSA & System Design
      • Data Science Training Program
      • JAVA Backend Development (Live)
      • DevOps Engineering (LIVE)
      • Data Structures & Algorithms in Python
    • For Students
      • Placement Preparation Course
      • Data Science (Live)
      • Data Structure & Algorithm-Self Paced (C++/JAVA)
      • Master Competitive Programming (Live)
      • Full Stack Development with React & Node JS (Live)
    • Full Stack Development
    • Data Science Program
    • All Courses
  • DSA
  • Practice Problems
  • C
  • C++
  • Java
  • Python
  • JavaScript
  • Data Science
  • Machine Learning
  • Courses
  • Linux
  • DevOps
  • SQL
  • Web Development
  • System Design
  • Aptitude
  • GfG Premium
Open In App
Next Article:
Passwords | Entropy and Cracking
Next article icon

Passwords | Entropy and Cracking

Last Updated : 14 Jun, 2022
Comments
Improve
Suggest changes
Like Article
Like
Report
While navigating the internet we are asked for our login credentials at almost every website we use regularly. One of the most important login credential is our password or shall I say passwords since we have different passwords for different accounts (if you have just realized that you don't have different passwords then please go ahead and change them). This article talks about secure passwords, unsecure ones, how to choose a good passwords and how they can be cracked. This article is divided into 3 sections. Lets move on to the first one.

How are passwords stored?

Whenever you create an account on a website and punch in your password, that password that you typed in isn't saved in a database. It is instead runs through a pseudo-random functions (hash functions) which produces a hash which usually looks like pure gibberish but is actually quite useful in terms of security. Instead of the plain-text password its hash is stored in the database so that if that website is hacked and the passwords are leaked online all you get is gibberish and not the real plain-text password that the user entered at the time of creating his/her account. For example our password is 'geeksforgeeks' and we run it through a SHA256 hash function we get the result as 
  plain-text password: geeksforgeeks  Result: f8d59362da74ffe833332dc20508f12de6da6a9298c98b3b42873e7298fced78
Whenever a user logs in to the website they enter the same plain-text password on the client side which then runs through the same hash functions and if that hash matches with the one stored in the database then the user is authorized to use that account. If a different user chooses the same password then a situation called collision occurs due to both the hashes being the same. In such a case an extra bit of plain-text is added to the original password and then it is ran through the same hash function generating a unique hash. In the end both the hash and the extra plain-text are stored in to the database to recognize the user in the future. This method of storing passwords can be made more secure by running them through iterations of different hash functions.

Can they be cracked?

Despite of taking all precautions and keeping up with the best practices of information security things could still go wrong. If you are a fan of the show Mr. Robot like me then you must be familiar with the bitter truth that anything can be hacked. Let's say that a website was compromised and all of its users's passwords were leaked on the web available to you in the form of a text file, but since these passwords were stored in the form of hashes all we got in the text file was gibberish. Now there are two methods to crack these hashes.
  1. Brute Force Attacks: Most of you must be familiar with this type of attack as it is the most common. As it is evident from its name it tries out all combinations of plain-text passwords runs them through the hash function and matches the gibberish obtained with the different hashes that are contained in our text file. You must think that this will take a lifetime running all permutations through a hash function and then matching them with the text file, but what if I told you that the hacker has access to a high performance server through his computer and the server uses 4 of the latest NVIDIA graphics cards which gives it the ability to run 40 billion hashes/second. Now it has only become a matter of seconds. Now using a software called CUDA HashCat we can get started with cracking. So let's say we have a file called test.hash containing all the hashes and we want to get all 7 character passwords with lowercase letters we run the following command.
    ./hashcat -a 3 test.hash ?l?l?l?l?l?l?l
    a stands for attack, 3 is the attack mode i.e. brute force and ?l stands for lowercase letters and repeated 7 times means 7 lowercase letters. In a matter of seconds all the combinations whose hash matched those in test.hash will be displayed on screen. If we want to crack passwords with 6 lowercase letters and 2 digits in the end we have to write this 
    ./hashcat -a 3 test.hash ?l?l?l?l?l?l?d?d
    With the increase in the number of characters it slows down as the number of combinations increase which can be calculated as the number of characters in the character set to the power of the length of the password 
      First Example: 26^7  Second Example: 26^6*10^2
    As the search base gets bigger it becomes harder to crack these passwords even for simple hash functions like MD5 or SHA1 in such cases brute force attacks are not feasible and we move on to Dictionary attacks.
  2. Dictionary Attacks: We have a dictionary of commonly used passwords stored in a text file and we try those and match them to the hashes obtained from the site's database. This is much more efficient than brute force. There is a password list called "rock you" which has a collection of millions of such passwords. Lets run such an attack.
    ./hashcat -a 0 test.hash ./dictionaries/rockyou.dict
    0 stands for dictionary attack mode and we provide the path to our dictionary file. These attacks can be customized by applying a set of rules to the dictionary and then run the hashes. These rules are nothing but the usual variations that people try thinking that they are making their passwords more secure. It can be replacing I's with 1's or E's with 3's. Let's say you have all your rules stored in a file called myrules.rule now if we run the attack using this file it will run a series of dictionary attacks applying one rule at a time to that whole dictionary. For that we need to run the following
    ./hashcat -a 0 -r ./rules/myrules.rule test.hash ./dictionaries/rockyou.dict

Choosing a strong passwords

The popular online comic xkcd tried to depict the problem that people have with choosing and remembering passwords through a comic strip. It talks about password entropy. What is it exactly? Password Entropy: It is simply the amount of information held in a password. Higher the entropy of a password the longer it takes to get cracked. So if you have a 6 character password then the entropy is very low and it can be easily brute forced. If you have a 10 character password with symbol then you are safe from brute force attack but it is still possible to crack it with a dictionary. Referring to the comic strip above it talks about "correcthorsebatterystaple" as a possible choice for a password. Since its 4 words appended together it is 'un-brute-forcable'. Even without using special characters it is a good password because of its high entropy and it is also difficult to crack by a dictionary but its not impossible. Instead of using combinations of characters we can use a dictionary attack with different english words combination. To make it really secure take 3 or 4 uncommon English words and stick a special character in the middle of a word that makes it un-brute-forcable and almost dictionary proof. But if you think that all of it is a pain, then you can just use a good password manager with just one master password to remember.

Next Article
Passwords | Entropy and Cracking

P

Palash Nigam
Improve
Article Tags :
  • Ethical Hacking

Similar Reads

    How to Crack FTP Passwords?
    The primary purpose of an FTP server is to allow users to upload and download files. An FTP server is a computer that has a file transfer protocol (FTP) address and is dedicated to receiving an FTP connection. FTP is a protocol used to transfer files via the internet between a server (sender) and a
    10 min read
    How to Defend Against Password Cracking of Systems?
    To Defend against Password Cracking of systems in Ethical Hacking, you need to know how password cracking functions. Password cracking is the act of using a computer program to try to guess an inputted password. There are many forms of attacks that can be used in this process, but they all result in
    6 min read
    Passwords and Cryptographic hash function
    We have introduced and discussed importance of hashed passwords. To create strong hashed passwords, we must understand some terminology related to it and then we will see how to create strong salted hash password by example in PHP. What is Cryptographic hash function? A cryptographic hash function i
    3 min read
    What is Password Guessing Attack?
    There are a number of methods to crack a user's password, but the most prominent one is a Password Guessing Attack. Basically, this is a process of attempting to gain the system's access by trying on all the possible passwords (guessing passwords). If the attacker manages to guess the correct one, h
    4 min read
    Types of Cracking
    Cracking is a technique used to breach computer software or an entire computer security system, and with malicious intent. Though functionally the same as hacking, cracking is strictly used in a criminal sense.The process of attempting to gain unauthorized access to a computer system or network by e
    5 min read
geeksforgeeks-footer-logo
Corporate & Communications Address:
A-143, 7th Floor, Sovereign Corporate Tower, Sector- 136, Noida, Uttar Pradesh (201305)
Registered Address:
K 061, Tower K, Gulshan Vivante Apartment, Sector 137, Noida, Gautam Buddh Nagar, Uttar Pradesh, 201305
GFG App on Play Store GFG App on App Store
Advertise with us
  • Company
  • About Us
  • Legal
  • Privacy Policy
  • In Media
  • Contact Us
  • Advertise with us
  • GFG Corporate Solution
  • Placement Training Program
  • Languages
  • Python
  • Java
  • C++
  • PHP
  • GoLang
  • SQL
  • R Language
  • Android Tutorial
  • Tutorials Archive
  • DSA
  • Data Structures
  • Algorithms
  • DSA for Beginners
  • Basic DSA Problems
  • DSA Roadmap
  • Top 100 DSA Interview Problems
  • DSA Roadmap by Sandeep Jain
  • All Cheat Sheets
  • Data Science & ML
  • Data Science With Python
  • Data Science For Beginner
  • Machine Learning
  • ML Maths
  • Data Visualisation
  • Pandas
  • NumPy
  • NLP
  • Deep Learning
  • Web Technologies
  • HTML
  • CSS
  • JavaScript
  • TypeScript
  • ReactJS
  • NextJS
  • Bootstrap
  • Web Design
  • Python Tutorial
  • Python Programming Examples
  • Python Projects
  • Python Tkinter
  • Python Web Scraping
  • OpenCV Tutorial
  • Python Interview Question
  • Django
  • Computer Science
  • Operating Systems
  • Computer Network
  • Database Management System
  • Software Engineering
  • Digital Logic Design
  • Engineering Maths
  • Software Development
  • Software Testing
  • DevOps
  • Git
  • Linux
  • AWS
  • Docker
  • Kubernetes
  • Azure
  • GCP
  • DevOps Roadmap
  • System Design
  • High Level Design
  • Low Level Design
  • UML Diagrams
  • Interview Guide
  • Design Patterns
  • OOAD
  • System Design Bootcamp
  • Interview Questions
  • Inteview Preparation
  • Competitive Programming
  • Top DS or Algo for CP
  • Company-Wise Recruitment Process
  • Company-Wise Preparation
  • Aptitude Preparation
  • Puzzles
  • School Subjects
  • Mathematics
  • Physics
  • Chemistry
  • Biology
  • Social Science
  • English Grammar
  • Commerce
  • World GK
  • GeeksforGeeks Videos
  • DSA
  • Python
  • Java
  • C++
  • Web Development
  • Data Science
  • CS Subjects
@GeeksforGeeks, Sanchhaya Education Private Limited, All rights reserved
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox
Improvement
Suggest Changes
Help us improve. Share your suggestions to enhance the article. Contribute your expertise and make a difference in the GeeksforGeeks portal.
geeksforgeeks-suggest-icon
Create Improvement
Enhance the article with your expertise. Contribute to the GeeksforGeeks community and help create better learning resources for all.
geeksforgeeks-improvement-icon
Suggest Changes
min 4 words, max Words Limit:1000

Thank You!

Your suggestions are valuable to us.

What kind of Experience do you want to share?

Interview Experiences
Admission Experiences
Career Journeys
Work Experiences
Campus Experiences
Competitive Exam Experiences