Cracking More Password Hashes With Patterns

It is a common mistake of application developers to store user passwords within databases as plaintext or only as their unsalted hash values. Many real-life successful hacking attempts that enabled attackers to get unauthorized access to sensitive database entries including user passwords have been experienced in the past. Seizing password hashes, attackers perform brute-force, dictionary, or rainbow-table attacks to reveal plaintext passwords from their hashes. Dictionary attacks are very fast for cracking hashes but their success rate is not sufficient. In this paper, we propose a novel method for improving dictionary attacks. Our method exploits several password patterns that are commonly preferred by users when trying to choose a complex and strong password. In order to analyze and show success rates of our developed method, we performed cracking tests on real-life leaked password hashes using both a traditional dictionary and our pattern-based dictionary. We observed that our pattern-based method is superior for cracking password hashes.

[1]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[3]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[4]  B. J. Fogg,et al.  Persuasive technology: using computers to change what we think and do , 2002, UBIQ.

[5]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[6]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[7]  Sugata Sanyal,et al.  CompChall: addressing password guessing attacks , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[8]  Sudhir Aggarwal,et al.  Building better passwords using probabilistic techniques , 2012, ACSAC '12.

[9]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[10]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[12]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[13]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[14]  G. Fragkos,et al.  A Cognitive Model for the Forensic Recovery of End-User Passwords , 2007, Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007).

[15]  Bohn Stafleu van Loghum,et al.  Online … , 2002, LOG IN.

[16]  Markus Jakobsson,et al.  The Benefits of Understanding Passwords , 2012, HotSec.

[17]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[18]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[19]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[20]  Martin Stanek,et al.  Analysis of dictionary methods for PIN selection , 2013, Comput. Secur..

[21]  Yang Xiao,et al.  Differentiated Virtual Passwords, Secret Little Functions, and Codebooks for Protecting Users From Password Theft , 2014, IEEE Systems Journal.

[22]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.