While the passwords remain the first defense line to protect users’ accounts from unauthorized access, the methods of creating strong passwords and protecting them are constantly developing. For example, Recommendations by Password Nist Now prioritizing the password over the complexity is prioritizing. However, the hash remains not discussed. Even long safe passwords should be launched to prevent them from exposing them in case of data violation – and never stored in the open text.
This article considers how today’s cyberatists are trying to crack over your passwords, examine common hashization algorithms and their restrictions, as well as discuss the measures you can take to protect your hash passwords, no matter what algorithm you use.
Modern methods of hacking password
The malicious actors have many tools and methods at their disposal for hacking passwords. Some of the more widely used methods include rough forces, seizures in the password dictionary, hybrid attacks and mask.
Rough force attacks
A a rough force attack provides excessive, strong attempts and errors to access the account. The malicious actors use specialized tools for systematic verification of passwords until the work combination is detected. Although invalid, rough force attacks are very effective using password hacking software and powerful computing equipment such as graphic processing units (graphic processors).
Attack of a vocabulary password
As its name implies, the attack in the password dictionary systematically attracts words from the dictionary to the gross password change until you find the work combination. The vocabulary content may contain all common words, specific words lists and word combinations, as well as derivatives and defamed words with alphanumeric and non-alphane signs (such as replacing “A” with “@”). The password attacks can also contain earlier Leaks of passwords or key phrases exposed to data disorders.
Hybrid attacks
A hybrid attack on password Combines rough force with vocabulary -based methods to achieve better agility and attack effectiveness. For example, a malicious actor can use the vocabulary of words that are often used by accounts with methods that combine numerical and non -alphane combinations of characters.
Mask attacks
In some cases, malicious subjects may know about specific password models or parameters/requirements. This knowledge allows them to use mask attacks to reduce the number of iterations and attempts in their hacking. Mask attacks use rough force to check the password attempts that correspond to a certain sample (for example, eight characters, start with the capital letter and end with the number or special character).
As the algorithms for washing protect against the methods of cracking
Hashing algorithms are the basis for many security applications: from monitoring files to digital signatures and password storage. And although this is not a stupid security method, the hash is much better than storage of passwords in open text. With hashized passwords, you can make sure that even if cyber -craftsmen get access to password databases, they cannot easily read and use them.
According to the design, the hash significantly exceeds the ability of the attacker to crack passwords, acting as a critical deterrent, making the password hacking to make time and resources intensively that the attackers can move their attention to simpler goals.
Can hackers crack the hash algorithms?
Because the hashization algorithms are unilateral functions, the only method for compromise hash-passwords is the methods of brute force. Cyberatics use special equipment, such as GPU and cracking software (eg, Hashcat, L0PTCRACK, John the Ripper) to perform grossly millions or billions or combinations.
Even with these complex targeted cracking instruments, the hacking time may vary dramatically depending on the particular hashization algorithm and the length of the password/characters. For example, long, complex passwords can take thousands of years to crack, and short, simple passwords can be hacked immediately.
The following cracked landmarks were found Studies Researchers on the NVIDIA RTX 4090 graphic processor and used Hashcat software.
Md5
Once the algorithm of the hashization of industrial strength is considered, the MD5 is now considered a cryptographically deficiency of various safety disorders; Given this, it remains one of the most widely used hashization algorithms. For example, the popular CMS WordPress is still using MD5 by default; This is approximately approximately 43.7% Sites running on CMS.
Using easily accessible graphic processes and cracking software, attackers can instantly crack numerical passwords with 13 characters and less attached to the 128-bit MD5; On the other hand, the password is 11 characters consisting of numbers, large/small characters and characters, will take 26.5 thousand years.
Sha256
A Algorithm hashos sha256 It belongs to the safe hash-2 (Sha-2) Hashing Group developed by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). As an upgrade, the Sha256 algorithm is considered a reliable and very safe algorithm suitable for today’s security applications.
When used with long, sophisticated SHA256 passwords almost impassable, using the rough force methods – 11 hascated SHA256 passwords using numbers, top/small characters and characters requires 2052 years to hack GPU and cracking software. However, the attackers can instantly crack nine SHA256 characters, which only consist of numerical or small characters.
Bcrypt
Safety experts consider both Sha256 and BCRIPT enough has enough hasing for modern security applications. However, unlike SHA256, BCRIPT reinforces its hashization mechanism, using salting – adding random data to each hash password to ensure uniqueness, BCRPT makes passwords very resistant to a vocabulary or attempted rough forces. In addition, BCRIPT uses the cost ratio that determines the amount of iterations to launch the algorithm.
Such a combination of salt and costs makes Bcrypt extremely resistant to dictionary and brute force. Cyber -Aweder who uses software for graphic processes and cracking 27 154 years to crack Eight characters password consisting of numbers, uppercase/lowercase letters and characters that have BCRIPT have been shared. However, numeric or only on small passwords BCRIPT under eight characters, trivial for hacking, taking from a few hours to a few seconds to compromise.
How do hackers bypass the hash algorithms?
Regardless of the hashization algorithm, total vulnerability is short and simple passwords. Long, complex passwords, which include numbers, uppercase and lowercase letters, as well as characters, are the perfect formula for password strength and stability. However, re -use of the password remains a significant problem; Only one common password, no matter how strong, is stored in the open text on a poorly fixed site or service, can give cyber -flammers access to sensitive accounts.
Thus, cyber -violinists are likely to receive impaired credentials and exposed passwords from the dark network rather than trying to crack long, complex passwords, secured by modern hash algorithms. Cut a long password that hash with BCRIPT is almost impossible, even with specially built equipment and software. But the use of a famous compromised password is instantly and effectively.
To protect your organization from violated passwords, Password Policy Specups Permanently scanning your Active Directory against increasing database with more than 4 billion unique violated passwords. Contact with cash on free trial.
