Agenda Screening Services logo

Blog

How your Password is Cracked

Posted: 12th May 2017 in Security News

Click image to view full size.

A password cracking utility will first search common passwords and dictionaries to find a match. If this does not yield the desired results, the password cracker will move to a Brute Force attack. These attacks try every combination of letters, numbers and symbols until the match is found. Rules can be applied to the brute force attacks to mimic the substitutions that people use in their password. E becomes 3, A becomes @, s becomes 5, o becomes 0 and an explanation mark at the end of a word.

P@55w0rd! anyone.

With the massive leaks of user’s passwords from hacks such as Sony and Yahoo, the dictionaries used for hacking grow with actual passwords used by people on their online accounts. Hackers analyse the leak password lists to find common passwords and use these as part of their attack dictionary. Further analysis of the leaked passwords lists will reveal useful patterns that can be used to refine the rules they use for substitutions.

How long does it take to crack my password?

This depends on password length, complexity, hash algorithm and computing power. In the days of using a computers CPU’s alone to break the password hash, the process took a seemingly comfortable length of time. Since the rise of the all-powerful graphics card, things have changed quite considerably. To put this in prospective one single GPU can check at least eight billion password combinations each second.

Password length

CPU

GPU

4 characters

20 to 30 seconds

Less than a second

6 characters

1 to 2 hours

4 seconds

7 characters

4 days

17 minutes

 Where possible we would recommend using two factor authentication to help identify the end user of the system. Two factor authentication will commonly use a time limited token along with a username and password to help protect access to the account.

The National Cyber Security Centre offers interesting guidance on simplifying your approach to passwords and two factor authentication, which can be found below.

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

https://www.ncsc.gov.uk/guidance/cloud-security-principle-10-identity-and-authentication