What Is Password Cracking?

Javed Shah

In authentication security, passwords are often the weak link, susceptible to several attacks.

What is password cracking? Password cracking is the use of different attacks to guess or expose a password and gain access into a user’s account.

What Does it Mean to Crack a Password?

Passwords are one of the oldest and most well-established forms of authentication security in computing. Brought about with the emergence of multi-user systems in the 1960s and 1870s, username/password combinations serve as the backbone of authentication because of their ease of use, simple implementation, and common acceptance across consumer and enterprise contexts.

However, passwords are incredibly vulnerable and often serve as a weak point in cybersecurity overall. The major issue with password authentication is that they rely on user commitment to using strong, secure passwords while remaining vigilant against social engineering attempts.

The first part of that responsibility (strong passwords) plays a significant role in protecting against password cracking or using brute-force attacks to guess passwords to gain access to a system. These attacks range from brute-force in nature to more sophisticated threats.

Some forms of password threats include:

  • Guessing: The most simple of brute-force methods, a guessing attack is, as the name suggests, one where the attacker simply throws different passwords against user accounts in hopes of getting lucky. For the most part, many security technologies resist this attack, but a lack of employee security education or password requirements can still make this threat real.
  • Dictionary Attacks: Dictionary attacks involve using common phrases and names from a dictionary as password guesses. This threat relies on the unfortunately-common fact that users will often use simple words or phrases as passwords because they are easy to remember.
  • Common Passphrase Attacks: Much like a dictionary attack, a common phrase attack will use a dictionary populated explicitly with common passwords. This can include simple sequences of numbers (123456) or words (like a password) and permutations of those phrases (like “passw0rd” or “password1”). Again, these attacks remain effective in cases where users rely on simple or common passwords.
  • Credential Stuffing: This attack is much more insidious than those already discussed. Credential stuffing relies on compromised databases containing passwords to crack accounts on other platforms.

So, for example, if a user’s username and password are compromised in a hack, then attackers may purchase that information on the black market and start pushing those credentials to other common platforms, like social media or banking. This attack works extremely well because it utilizes known information and leverages the tendency for users to reuse credentials across multiple systems.

  • Password Spraying: An inverse of dictionary attacks, password spraying involves using common phrases across a swath of accounts rather than just focusing on a single charge. What this form of attack loses in depth, it gains in breadth.

By spreading attacks over hundreds or thousands of accounts, it plays the odds against someone in a user population keeping simple or shared passwords. And, as is often the case, an attacker only needs to compromise a single account.

  • Rainbow Table Attack: Passwords are rarely stored in plain text, existing instead as a one-way hash that hides the information while allowing authentication. These can be difficult or impossible to crack.

However, suppose the attacker steals a table of hashes from a platform. In that case, they can use a rainbow table of common password hashes to compare against and, with enough work, break those hashes and expose every password in the database.

Most of these attacks can be defined as either cracking or password guessing. The latter typically involves using repeated authentication attempts to gain unauthorized access to (usually online) accounts. The former most often uses more sophisticated methods to break security on stolen passwords or password databases that have been taken offline. The difference between these two is a thin line, however, as guessing techniques (dictionaries) can serve as part of a larger cracking attempt (such as rainbow tables).

Note that cracking isn’t necessarily the most popular or effective authentication attack. Phishing attacks remain at the top of this list because they target most security systems’ weakest link: users. However, phishing attacks can help with other cracking attacks.

For example, suppose a phishing attack can expose credentials for someone with access to specific databases. In that case, hackers can use that information to breach systems and crack other passwords in that same system.

How Can Organizations Resist Password Cracking?

Organizations can follow several best practices for their authentication services to mitigate password cracking. These practices include securing passwords against common attacks, reinforcing password database security, and (in some cases) going around the need for passwords.

These best practices include:

  • Require Complex Passwords: Shorter passwords are much easier to crack than longer ones. Hackers can refine their password dictionary attempts, but they cannot optimize effectively if the users can include special characters or differentiate between lower- and uppercase letters.

By using several character types, requiring a long minimum length, and disallowing common words, your organization can resist many types of cracking attempts.

  • Require Regular Password Changes: If an attacker attempts to crack passwords using a dictionary, their odds of breaking through increase the longer they work on the problem.

However, if users constantly change passwords, these attackers can’t make significant headway. Additionally, if a hacker does gain access to a system by cracking an account, requiring changes at regular intervals can limit the impact they have over time.

  • Use Salted Hashes to Store Passwords: Hackers using rainbow attacks can break through plain hashes relatively quickly. By “salting” password hashes or adding random data, you can make it much harder for attackers to break through these encryption methods.
  • Disallow Password Reuse: Users like to reuse passwords over and over to make remembering their credentials easiest, but essentially eliminates the security that passwords may provide. By forcing users to change passwords into newer, unique versions, you reduce the security risks associated with long-term password storage while minimizing the possibility of the user reusing passwords from other platforms.
  • Use Passwordless Security: A solid approach, and one that’s gained a lot of traction in recent years, is passwordless authentication. This method, as the name suggests, foregoes passwords for other processes (usually tokens or biometrics). While these may be a little more complex to implement, they are only insignificantly so. And, with the proliferation of mobile devices and biometrics technology, passwordless is relatively simple to deploy.

Stop Cracking and Enter the Future of Authentication with 1Kosmos

The simplest truths are often the most useful–in this case, you can eliminate password security issues by removing passwords. And there’s no better way to step into passwordless security than with 1Kosmos BlockID.

With 1Kosmos, you can fight password attacks with the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Sign up for our newsletter to learn more about how BlockID can support real security and help mitigate phishing attacks. Also, make sure to read our whitepaper on how to Go Beyond Passwordless Solutions.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.