Password Cracking in Cyber Security

A password acts as a key to gain access to the system or other information like data in a database. Password cracking is the process of recovering passwords from data that have been stored or transmitted by a computer system. The purpose of password cracking is as follows:

• To recover a forgotten password 
• Testing the strength of a password 
• To gain unauthorized access to a system

Manual password cracking is a process of trying out different password combinations and checking if each one of them working or not and is quite a time-consuming process. Manual password cracking involves:

1. Find a valid user account
2. Create a list of possible passwords (dictionary) 
3. Rank the passwords from high to low probability 
4. Key-in each password 
5. Try again until a successful password is found

Sometimes password can be guessed with the prior knowledge of the target user's information. Different characteristics of a guessable password are as follows:

• Blank (no password)
• General passwords like password, admin, 123456, etc. 
• Series of letters like QWERTY 
• User’s name or login name 
• Name of a user’s friend/relative/pet 
• User’s birth date or birthplace 
• User’s vehicle number, office number, residence or mobile number 
• Name of a celebrity or idol 
• A simple modification of the above-mentioned passwords (like adding numbers)

The user passwords of websites or an operating system are generally not stored as plain text. To ensure the confidentiality of the password, it is changed into an intermediate form and then stored in a database. In general, hashing is used to convert plain text password into a hashed password. The hashed password is stored in the database. Even though if someone is able to get hold of hashed password, it doesn't make any sense without further analysis or processing. Even though the hashing process is secure and reverse hashing to plain text is quite difficult, this process is not a bullet-proof solution. 

Attackers can create a dictionary of hashed passwords and after getting a target hashed password, they can use a tool to try out whether the target hashed password matches any of the hashed passwords in the dictionary. If the tool gets a hit, then the plain text is easily revealed as the attacker has the corresponding plain text for the hashed password. The hashing process is as shown below: