Passwords are the standard authentication factor across sites and systems, but how we deal with passwords has changed over time. Today, password hashing is a critical security measure organizations should leverage to protect passwords. Because many organizations leverage password hashing to protect passwords, cracking dictionaries have evolved to crack those password hashes.
They contain word lists in the form of dictionary words, common passwords, iterations of common passwords, and exposed passwords. They can also contain passwords that used to be hashed but have been subsequently cracked because they were stored in a weak password hashing algorithm.
As data breaches and password exposure increases year-over-year, more-and-more dictionaries of reverse-engineered hashed passwords are emerging. A password-cracking dictionary will often end up on the dark web for cybercriminals to exploit for various types of account takeover, paving the way for even more successful data breaches. They can also be used for cybersecurity research on user password habits.
There are plenty of methods a black hat hacker can choose to access user credentials. For example, they can use a form of social engineering to coax someone to hand over their credentials, like in a sophisticated phishing attack. But the easiest way is to use a cracking dictionary to gain access to an account. It is an easier and faster attack vector for account takeover.
In the digital age, as major data breaches are happening almost daily, cybercriminals can get access to more password lists and are able to crack password hashes faster as technology advances. Bad actors can use entire databases of pre-cracked passwords, common passwords, leaked passwords, and standard dictionary word lists to try and hack into an account, without the time and complexity of a social engineering attack.
Over the years cybercriminals have developed a good understanding of what a typical password looks like, and they conduct their attacks based on this information. With a cracking dictionary, attackers apply the cracked list of passwords against a system and try to gain access.
This is called a dictionary attack (a form of a brute force attack). An attacker, instead of trying all possible combinations, tries a password from a dictionary file. The file will have some of the most commonly used passwords and iterations to those passwords since so many people use similar passwords to their old passwords.
But these dictionaries can also be useful for standard brute force attacks and password spraying attacks.
However, it’s not just hackers who use cracking dictionaries, legitimate security professionals do as well. Ethical hackers can also use this data to break hashing algorithms and conduct controlled data breaches to demonstrate how insecure a system is. This often happens in a professional setting, but there are also hash cracking websites available online where you can put in a hashed version of a password, and it will crack it, telling you the password.
Putting this hash into the website CrackStation, it returned the password almost instantly.
These websites use huge dictionaries of hashed data, some of this data is hashed common passwords, some is dictionary words, some is entire word lists and Wikipedia articles, and so on.
According to Forbes, just the first half of 2019 saw 3,800 publicly disclosed data breaches, amounting to 4.1 billion exposed records. What makes these figures even more alarming is that the number of breaches in 2019 increased by 54% compared to the previous year. The problem is, with each additional breach, more valuable data goes into the hands of these bad actors.
When a large company has their login credentials stolen, cybercriminals now have a huge set of data that provides insights, such as which passwords are the most popular, for example, which sports team names become common passwords in that area, and so on. These passwords get added to dictionaries. This data is still extremely valuable even when the password has been hashed.
Password hashing has long been considered a secure way of storing passwords. Hashing involves taking the native password, for example, “Yellow3”, and converting it into a string of numbers and letters of a fixed length. Hashing algorithms are designed to be difficult to crack and difficult to reverse engineer. All hashing algorithms are deterministic, which means if you input the same value, you’ll always get the same hashed output. However, they are also designed so that changing a single character the resulting hash will look completely different. This element of their design makes them considerably more difficult to reverse engineer, but the only thing standing in an attacker’s way is a large set of data and a powerful computer.
This is largely why data breaches are becoming so prevalent and increasing each year. Powerful computers and computer components are becoming increasingly affordable and as more hashed passwords are exposed, hackers get better at reverse-engineering these passwords. When quantum computing becomes more mainstream, it will become even easier to reverse engineer hashes.
One way to protect your password is to make it more difficult to crack.
A strong password policy can help organizations create harder-to-crack passwords. There are many different policies and recommendations around what makes a strong and safe password, but here are some common features of a strong organizational password policy:
Lastly, password monitoring can help organizations determine whether you have a strong password or not. Password screening software will scan your password and compare it to known common passwords, or passwords that have been exposed previously. If password monitoring tools indicate that a password has been exposed in a previous data breach, is a known password, or appears on password blacklists; then you should assume that hackers will try that password, and have potentially already cracked the hash for it.