How Do Hackers Guess Your Password?
In this week's newsletter, I delve into the vulnerabilities of traditional cryptographic hash functions and how to ensure your passwords are as secure as they can be in the event of a data breach.
In just under an hour, I figured out how to install and use Hashcat - a software notorious for cracking passwords, used by criminals, spies, and the merely curious like myself. But several minutes into a brute-force attack on several random passwords I made up and one worked-up GPU later (I had been fairly warned by Hashcat), I terminated the process and pondered the implications of what I had just attempted.
Cryptography, an ancient art, remains essential due to the countless passwords and passkeys floating around in our modern technology. But did you know that when you enter a password online, a security-conscious website doesn't store it as plain text? Instead, it saves it using a cryptographic hash function, which maps your password to a mathematically irreversible string of random characters known as a hash value.
How Hash Functions Become Compromised
One such hash function, MD5, was once standard for securing passwords after its creation in the early 1990s. However, it’s no longer deemed secure, having been found highly susceptible to attacks using relatively unsophisticated GPUs and software like Hashcat. This is because of the minimal computation needed to convert a password into its MD5 hash value, enabling hackers to rapidly cycle through passwords - 8 billion per second, to be precise.
In a brute-force attack, every possible combination of characters that could make up the password is tested. Passwords under around 6 or so characters are especially vulnerable, but as the length increases, the average amount of time to find the correct combination increases exponentially. After brute-forcing the weakest passwords, hackers will often turn to their carefully-crafted dictionaries. These contain lists and combinations of words that are commonly used in passwords and highly memorable - including names (the names of certain celebrities are more common than you might think), dates, and substitutions like ‘1’ for ‘i’.
Rainbow tables, which contain precomputed outputs of hash functions, can also be used to convert hash values back into plaintext in the event of a data breach. An increasingly common tactic to protect against this is to "salt" the hash function by adding random data to the end of a password before converting it to its hash value. The term “rainbow table” originates from the way these tables are structured, representing a spectrum of sequential hash values, much like a spectrum of colours.
As you’ve probably gathered by now, the use of MD5 as a cryptographic hash function is ill-advised. Fortunately, modern cryptographic hash functions are far more computationally intensive and resistant to brute-force and rainbow table attacks. As technology evolves, we must ensure cryptography keeps pace, especially with upcoming challenges like quantum computing.
Quantum Cryptography: The Future?
The ultimate solution could be quantum key distribution (QKD), a theoretically unbreakable encryption process that would only be vulnerable if you managed to break the laws of physics. As quantum computers pose an increasing threat to the cryptographic protocols currently in use, QKD could be the key to ensuring our data remains secure. It’s not a topic I’ve researched extensively yet, but I hope to explore it in more detail in a future post.
Despite future threats, the best action you can take right now to protect your personal information is to strengthen your passwords. Consider using passwords that are at least 12 characters long and include a mix of uppercase, lowercase, digits, and special characters. Try your best not to use the same password across multiple accounts—if one becomes compromised due to a data breach, the others are at risk too!
You might consider using an online tool to test the strength of your passwords, such as this one. However, keep in mind that these tools often underestimate how quickly a password can be cracked because they primarily consider the speed of brute-force attacks and fail to account for the fact that people often use memorable words, phrases, and predictable patterns to construct their passwords.
Happy securing!