Skip to main content

Back to Blog

How Cybercriminals Hack “Encrypted” Passwords

Storing your passwords in cleartext is a bad idea because if your server gets hacked, all your user passwords are immediately visible to the attacker. To protect a database of passwords in the event of a breach, businesses often employ one-way encryption using hashing to make passwords harder to use. Unfortunately, many organizations assume these methods are enough to keep their passwords out of the hands of criminals if they get hacked. If you’ve been following our series focused on the role of passwords in modern cybersecurity, you won’t be surprised to hear that one-way hash functions are, all too often, not enough.

We’ve talked about the current threat landscape and busted some of the myths surrounding password-based security. In this article, we’re going to look at the ways cybercriminals can hack hashed passwords and how – even with the usual password rules applied – they can crack these stolen, “strong” passwords.

One-Way Encryption Leaves Passwords Vulnerable

As the number of data breaches continues to escalate, more of our passwords are being exposed and shared via large data lists called cracking dictionaries. These lists are made up of standard dictionary words, common passwords, iterations of known passwords, and leaked passwords from data breaches,. Criminals share these hacking dictionaries via the dark web and use them to guess user credentials in brute force attacks against sites and systems. However, cracking dictionaries are also extremely useful tools for one-way hash functions that should otherwise be irreversible.

Understanding How Passwords Are Hashed

Hashing is a way to store your passwords more securely by changing them into a string of characters and storing that “hash” rather than the passwords themselves. When a password is created, the system uses a hashing algorithm to change it into a fixed-length output stored in the database. When that user wants to log in, the system uses that same algorithm on the password being entered to see if its hash matches the hashed password associated with that username in the database. But, if your users are creating common or compromised passwords, all rogue actors need to do is apply the various known hashing algorithms to a list of the top passwords and see if any match the ones on the hashed list they stole. These lookup tables are a simple way of reversing what should be an irreversible hash.

Salting is an additional security measure that makes it harder for attackers to crack hashed passwords. When a password is “salted,” it means that a random string of characters is added to the password before it is hashed. This salt value is unique and, combined with hashing, it makes reverse engineering the password more challenging for criminals who get their hands on your data. This salting method is weaker if your system doesn’t generate individual salts for each password. If every salt value is the same, a hacker simply applies that value to their cracking dictionary before the hashing algorithm, and any passwords you have in your system that match their list will be revealed. All common and compromised passwords have already been reversed in this way.

How Does Hashing Work in Windows Active Directory?

Unfortunately, Windows Active Directory doesn’t use any salt values when storing passwords. The hash algorithm used by Windows Active Directory is called NTLM and is very well known. Unfortunately, this leaves your hashed passwords in Windows Active Directory extremely vulnerable to cracking if your users are allowed to create passwords found in cracking dictionaries.

Protecting Your User and Employee Passwords

While businesses should deploy methods like hashing and salting to protect their databases, we need to remember that bad actors can still slip past these security measures when employees are using common or compromised passwords. The number of corporate credentials exposed on the dark web increased 429% last year.

Businesses must remain vigilant and do everything they can to keep their users from creating previously exposed and easy-to-crack passwords found in cracking dictionaries.  Training your employees to avoid using a common password is difficult.  A more effective method to mitigate risk is robust password screening software that checks employee passwords against blacklist databases formed from passwords found in cracking dictionaries and data breaches. This way, you can be sure your users aren’t creating passwords that may appear strong on the surface but have already been compromised in a past data breach, as a known or common password, or on password blacklists.