Password Cracking and Countermeasures in Computer Security: A Survey

With the rapid development of internet technologies, social networks, and other related areas, user authentication becomes more and more important to protect the data of the users. Password authentication is one of the widely used methods to achieve authentication for legal users and defense against intruders. There have been many password cracking methods developed during the past years, and people have been designing the countermeasures against password cracking all the time. However, we find that the survey work on the password cracking research has not been done very much. This paper is mainly to give a brief review of the password cracking methods, import technologies of password cracking, and the countermeasures against password cracking that are usually designed at two stages including the password design stage (e.g. user education, dynamic password, use of tokens, computer generations) and after the design (e.g. reactive password checking, proactive password checking, password encryption, access control). The main objective of this work is offering the abecedarian IT security professionals and the common audiences with some knowledge about the computer security and password cracking, and promoting the development of this area.Comment: add copyright to the tables to the original authors, add acknowledgement to helpe

Understanding common password design:a study towards building a penetration testing tool

Abstract. Almost everything that is meant to be kept private is currently being protected by passwords. While systems and devices can be designed with robust security measures, the effcacy of such systems can be compromised if the end-user chooses a weak password, especially one easily found in common wordlists. Given the prevailing security dynamics, especially with the ongoing Ukraine war and Finland’s NATO membership considerations, the inadequate protection of WiFi devices may transcend individual privacy concerns. Supo, the Finnish Security and Intelligence Service, posits that routers with subpar security could pose considerable national security risks. This thesis aims to investigate the strategies people use when creating new passwords. This is done by using prior knowledge about password creation habits and by conducting an analysis of leaked passwords. The study also examines existing tools for password list generation for penetration testing to see what the strengths and weaknesses of those tools are. This will be the groundwork for creating a lightweight tool for password list generation that can be used to do penetration testing with dictionary attacks and possibly detect if weak passwords are being used. The problem with the current tools is that they either create a very large wordlist or are too small to be practical. They also seem to lack the mangling capabilities of the wordlists. The proposed solution is evaluated using the wardriving method, accompanied by the acquisition of pmkid hashes from WiFi access points. Subsequently, these hashes are matched against passwords generated by the designated tool, leveraging Hashcat to ascertain their decryptability. Through this process, the study also provides a snapshot of WiFi password robustness within the City of Oulu. The fndings revealed that approximately 6% of WiFi access points employed passwords deemed too weak. This discovery aligns with earlier research conducted in the city of Oulu, where a related investigation highlighted that nearly 14.78% of devices lack password protection, effectively operating as open access points [1].Yleisten suunnittelumenetelmien ymmärtäminen salasanojen luomiseen : tutkimus penetraatiotestaustyökalun rakentamiseen. Tiivistelmä. Lähes kaikki yksityisenä pidettävät asiat ovat tällähetkellä salasanojen suojaamia. Laitteet ja järjestelmät voidaan suunnitella tietoturvaominaisuuksiltaan kattavaksi, mutta näiden laitteiden ja järjestelmien turvallisuus voi vaarantua, jos loppukäyttäjä valitsee laitteen salasanaksi heikon salasanan. Etenkin jos valittu salasana sattuu vielä löytymään yleisistä salasanalistoista. Wif laitteiden riittämätön suojaaminen voi aiheuttaa turvallisuusongelmia, kun tarkastellaan vallitsevaa turvallisuusdynamiikkaa, Ukrainan sotaan ja Suomen Nato jäsenyyteen liittyen. Suojelupoliisi arvioi että heikosti suojatut reitittimet voivat aiheuttaa merkittäviä kansallisia turvallisuusriskejä. Tämän opinnäytetyön tavoitteena on tutkia ihmisten käyttämiä strategioita salasanojen luomiseen. Tämä tehdään käyttämällä aiempaa tietoa salasanojen luomistavoista, sekä tekemällä analyysi aiemmin nettiin vuotaneista salasanoista. Tutkimuksessa myös tarkastellaan olemassa olevia työkaluja salasanalistojen luomiseen ja selvitetään mitkä ovat näiden työkalujen vahvuudet ja heikkoudet. Edellämainitut toimenpiteet ovat pohjatyö jonka perusteella rakennetaan kevyt työkalu salasanalistojen luomiseen penetraatiotestausta varten. Jo tehtävää varten olemassaolevien työkalujen ongelmana on että ne luovat joko liian suuria tai pieniä sanalistoja ollakseen käytännöllisiä. Niistä puuttuu myös toiminnallisuus sanalistojen muokkaamiseen. Työkalun tehokkuutta arvioidaan ja testataan wardriving menetelmällä Wiftukipisteistä hankituilla pmkid hasheilla. Myöhemmin hashejä verrataan työkalun luomiin sanalistoihin käyttäen apuna Hashcat nimistä työkalua ja tutkitaan löytyykö vastaavuuksia, ts. vastaako jokin työkalun luomista sanoista salasanaa jolla hash on luotu. Tätä kautta saadaan myös tilannekuva Wifsalasanojen vahvuudesta Oulun kaupungissa. Tulokset paljastivat että noin 6 % Wif-tukipisteistä käytetään liian heikkoa salasanaa. Tämä löytö on linjassa aiemmin Oulussa tehdyn tutkimuksen kanssa, jossa kyseinen tutkimus osoitti että lähes 14.78 % laitteista puuttuu salasanasuojaus ja laitteet toimivat noissa tapauksissa avoimina tukiasemina. [1

Analysis of real-world passwords for social media sites

Textual passwords have dominated all other entity authentication mechanisms since they were introduced in the early 1960’s. Despite an inherent weakness against social engineering, keylogging, shoulder surfing, dictionary, and brute-force attacks, password authentication continues to grow as the Internet expands. Existing research on password authentication proves that dictionary attacks are successful because users make poor choices when creating passwords. To make passwords easier to remember, users select character strings that are shorter in length and contain memorable content, like personal identity information, common words found in a dictionary, backward spellings of common words, recognizable sequences, and easily guessed mnemonic phrases. A number of these studies identify weaknesses found in passwords on social media sites [1] [2] [3] [4] [5]. However, this body of work fails to explore whether users choose more secure passwords on accounts that protect their professional online identity than they choose on accounts that are used for personal entertainment. In this study, we first cracked passwords from the over 6.4 million unsalted, SHA-1 hashed passwords stolen from the professional, social media site, LinkedIn. Next, we analyzed the length, character set composition, and entropy score of the passwords recovered. Then, we compared our results to the analysis of passwords performed by Weir, et al. on the RockYou! dataset to determine whether professionals protecting their online presence chose wiser passwords than social media site users who play online games. In our analysis we found that the users of the professional, social media site, LinkedIn, chose more secure passwords than the users of the social media gaming site, RockYou!. LinkedIn passwords contained a greater percentage of numbers, special characters, and uppercase letters than RockYou!. We also found that the LinkedIn passwords utilized special characters more frequently, but RockYou! passwords applied special character less predictably

Authentication Methods and Password Cracking

Na začátku této práce porovnáváme dnes běžně používané metody autentizace a také mluvíme o historii, současnosti a budoucnosti zabezpečení hesel. Později využíváme nástroj Hashcat k experimentům s útoky hrubou silou a slovníkovými útoky, které zrychlujeme s pomocí Markovových modelů a pravidel pro manipulaci se slovy. Porovnáváme také dva hardwarové přístupy --- běžný počítač a cloud computing. Nakonec na základě našich poznatků práci uzavíráme souborem doporučení na prolamování hesel s důrazem na hardware, velikost datové sady a použitou hašovací funkci.In the beginning of this thesis, we compare authentication methods commonly used today and dive into the history, state of the art as well as the future of password security. Later on, we use the tool Hashcat to experiment with brute-force and dictionary attacks accelerated with Markov models and word mangling rules. We also compare two hardware approaches --- regular computer and cloud computing. Based on our findings, we finally conclude with a set of password-cracking recommendations with focus on hardware, dataset size and used hash function

CollaborCrack: A Collaborative Password Cracking Solution for Windows Penetration Testing

Cybersecurity professionals attempt to crack password hashes during penetration tests to determine if they are strong enough. A password hash is a way to encode a password securely. This paper describes a proof-of-concept program called CollaborCrack, a team-based password cracking solution. CollaborCrack addresses the issues of computational complexity, remote cracking security, duplication of work, and the cost associated with password cracking. To address computational complexity, CollaborCrack enables remote password cracking. Remote cracking requires additional safeguards, which CollaborCrack mitigates by storing sensitive information locally. To reduce the duplication of work, CollaborCrack provides a shared interface designed around collaboration and teamwork. CollaborCrack reduces costs by decreasing the time it takes to crack groups of passwords and the number of password cracking computers needed. CollaborCrack breaks the traditional password cracking process into two parts: a collaboration client and collaboration server. CollaborCrack’s client serves as a shared password cracking interface for collaborating teams. The client organizes notes and facilitates collaboration among team members. CollaborCrack’s server increases password cracking efficiency while eliminating duplication of effort by allowing multiple team members to submit passwords to the same cracking server. If security professionals adopt this proof-of-concept, CollaborCrack could establish a more efficient and collaborative password cracking experience