Brute-force and dictionary attack on hashed real-world passwords

An information system is only as secure as its weakest point. In many information systems that remains to be the human factor, despite continuous attempts to educate the users about the importance of password security and enforcing password creation policies on them. Furthermore, not only do the average users' password creation and management habits remain more or less the same, but the password cracking tools, and more importantly, the computer hardware, keep improving as well. In this study, we performed a broad targeted attack combining several well-established cracking techniques, such as brute-force, dictionary, and hybrid attacks, on the passwords used by the students of a Slovenian university to access the online grading system. Our goal was to demonstrate how easy it is to crack most of the user-created passwords using simple and predictable patterns. To identify differences between them, we performed an analysis of the cracked and uncracked passwords and measured their strength. The results have shown that even a single low to mid-range modern GPU can crack over 95% of passwords in just few days, while a more dedicated system can crack all but the strongest 0.5% of them.