A Review on Password Cracking Strategies

Ms. Vidya Vijayan, Ms. Josna P Joy, Mrs. Suchithra M S

Dept. of Computer Science & Engineering
Christ Knowledge City, Ernakulam, India
vidyavijayan1115@g mail.com, josnajoy90@g mail.co m, Suchithrams194@g mail.com
Abstract As the word itself implies, Personal
Account Security S ystem WORD (PASS WORD)
is a word or string of characters used for user
authentication to prove identity. But now
passwords are going cracked to gain
unauthorized access to a computer without the
computer owners awareness. The proposed
paper is based on a study of certain password
cracking strategies used for cracking. Methods
like dictionary attack, brute force attack,
shoulder surfing, phishing, guessing, spidering
etc makes a bad impact on those passwords
which are easy to guess and most commonly
used. This paper compares and evaluates the
different password cracking techniques,
presents certain password hacking tools and
also certain preventive methods.
Keywords- password, brute force
entropy, shoulder surfing, phishing.
I.

attack,

INT RODUCTION

Until we cannot do retina scans like in James

Bond movies, the password is the best that we
can do, as a password is that which tells the
computer that we are who we say we are. But
in the recent years due to the despite advances
in bio metrics and other technologies,
passwords are seduced for cracking. The
majority of users had three or fewer passwords
and passwords were reused twice. An
enterprise emp loyee uses multip le passwords
everyday in order to use all applications and
systems provided by his employer. Since
humans are considered as the weakest link in
informat ion security, humans select passwords
easy to remember which is also easy to guess
for a cracker.

Now the use of passwords is a major point of

vulnerability in co mputer security, as
passwords are often easy to guess by
automated programs running dictionary
attacks. A password cracker is virtually any
program that can decrypt pass words or can
disable password protection. Most password
cracker use a technique referred to as
comparative analysis in order to crack the
encrypted passwords.
The purpose of this paper is to discuss what
password cracking is, highlight certain password
cracking techniques and to evaluate its effect
on poor passwords. Different scenario attempts
at which password cracking can occur are (1)the
attacker can gain access to a machine through
physical or remote access and the user could
attempt to try each
possible password-brute force attack (2) the
attack can gain access to hashed passwords
using rainbow tables (3) the attacker gain
access to the password or shadow file by trying
all the password in the dictionary list.

Fig 1.password cracking scenarios

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 8

Figure 1 shows the most common password

cracking scenarios and their traversal modes to
a system. But sophisticated hackers are not
always simply attempting to guess passwords
based on the information lifted on social
networks and fro m the likes, but ins tead are
using various methods to undermine what most
would think to be a wise password.
The section A briefs up about what password
cracking, online and offline cracking was and
about basic ten cracking strategies. The section
B compares the most common five password
cracking techniques and evaluating them. The
section C concludes about prevention tactics to
get secured fro m crackers and analyzing
advantages and disadvantages of each
technique.

In this the attacker ma kes the use of dictionary

of words that might have been used as
passwords.

Brute fo rce attack

This method is similar to the dictionary attack

but with the added bonus, for the hacker, of
being able to detect non dictionary words by
working through all possible alphanumeric co
mb inations.

Rainbow table attack

A rainbow table is a list of pre co mputed

hashes - numerical value of an encrypted
password which helps the attacker to gain
access.

II.

BASIC TERMS

A.

Password Cracking

The easy way to hack the password directly by

asking for passwords through phishing emails.

Password cracking is the ability of an attacker to

gain attempt to login to the another ones
system using a username
and password pair. Offline attacks can be
performed on hashed passwords at a different
location and without the need to interact with
the victim host. This was done by extracting the
hash stored by the victim attempting to crack
them on a special rig or remote machine. On
line attacks are those attacks performed on a
live host or system by either using an
exhaustive search or word list attack against a
login form, session or any type of
authentication technique used.
Security analysts and experts suggest different
password cracking strategies that can be
employed by an attacker. Some of the common
among them are described below.

Dict ionary attack

Phishing

Social engineering

This method telephones an office posing as an

IT security tech guy by simp ly asking for
network access passwords

Malware

Using a malware which records everything we

type or takes screen shots during login process.

Offline cracking

Here often the target in a question is compro

mised via a hack on a third party which then
provides access to system servers.

Shoulder surfing

This provides an excellent opportunity to

eyeball all those post it notes stuck to the front
of LCD screens with login attempts.

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 9

Studying corperate literature, website sales

material and even the websites of competitors
helps for gaining unauthorized access.

may take hours to weeks or months. A few

password cracking tools use a dictionary that
contains passwords . These tools are totally
dependent on the dictionary, so success rate is
lower. So me important cracking tools are
mentioned below,

Spidering

Guessing

Based on the predictability of the user to guess

passwords.

Replay attacks

The way to attack challenger response user

authentication mechanis m. It is also known as
reflection attacks.

Key logger

Similar to login spoofing attacks which is based

on software programs that monitors the login
processes.

Video record ing attack

Here attackers are with the help of video

cameras on mobile phones which analyses the
recorded video of users who enter passwords.

Key stroke dynamics

This typing dynamics records the key press and

key timings. It deals with how the password
entered and not what the password is.
B.

Cracking Tools

In recent years, computer programmers have

been trying to create algorithms for password
cracking in less time . Most of the password
cracking tools try to login with every possible
combination of words. If login is successful, it
means the password was found. If the password
is strong enough with a combination of
characters and characters, this cracking method

Brutus

Brutus was one of the most popular remote

online password cracking tools. It claims to be
the fastest and most flexible password cracking
tool. It supported HTTP (Basic Authentication),
HTTP (HTM L Form/ CGI), POP3, FTP, SM B,
Telnet and other types such as IMAP, NNTP, Net
Bus, etc
o

Rainbow crack

RainbowCrack is a hash cracker tool that uses a

large-scale time-memo ry trade off process for
faster password cracking than traditional brute
force tools. Time-memory trade off is a
computational process in which all p lain text
and hash pairs are calculated by using a
selected hash algorith m. After co mputation,
results were stored in the rainbow table. Th is
process is very time consuming. But, once the
table is ready, it can crack a password must
faster than brute force tools.
o

Wfuzz

Wfuzz is another web application password

cracking tool that tries to crack passwords with
brute forcing. It can also be used to find hidden
resources like directories, servlets and scripts.
This tool can also identify different kind of
injections including SQL Injection, XSS Injection,
LDAP Injection, etc in Web applications.
III.

COMPARISON STUDY

Jim owens et al. proposed evaluation of brute

force attack search on the hash or hashes by

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 10

calculating the hash of each and every string

combination for a chosen character set and
string length. The calculated hashes compares
with the hashes to be recovered until a match is
found or the attack is finished.
For examp le a brute force attack for all
strings up
to 8
lowercase letters
in
the
English
language
would start with
aaaaaaaa and end with zzzzzzzz. Certain
disadvantages of brute force attacks are,

probable matches rather than all possible string

combinations. A Dictionary needs to be well
optimized otherwise if it includes any string
combinations it risks becoming a brute-force
attack and loses its efficiency. Therefore Dict
ionaries often include known popular
passwords, words from the English and other
languages, ID numbers, phone numbers,
sentences from books etc. Dictionary attacks
are fairly triv ial to execute, often by means of a
simp le bash file such as the one shown below:

Very t ime consuming, as searching fro

m a hash takes lot of time .

Effective only for s maller passwords

Feasibility depends on the domain of

input characters
Fig 2. a dictionary attack
Benny pinkas et al. and vitaly shmatikov et al.
proposed small password domain wh ich
enables adversaries to attempt to login to
accounts by trying all possible passwords which
are in the dictionary, those attacks are called
dictionary attacks. Here the basic insight is that
the distribution of letters in easy to remember
passwords is likely to be similar to the
distribution of letters in users native language in
dictionaries. Two common counter measures
used against online dictionary attacks are,

Sam martin et al. proposed research on rainbow

table attacks, dictionary attacks and brute force
attacks. Rainbow table attack is a method to
trade memory against attack time. For a
cryptosystem having N keys, this method can
recover a key N2/ 3 operations using N2/3
memo ry. The below figure gives a spectrum o f
possibilit ies for password cracking attacks.

Delayed response-given a login

name/password pair the server provides a
slightly delayed yes/no answer.

Account locking-accounts are locked a

few unsuccessful login attempts.
Dict ionaries are raw text files consisting of one
word or phrase per line. Each line is a candidate
match where each hash is computed and
compared to the hashes to be recovered. The
difference between a Dictionary and a bruteforce attack is that a Dictionary contains a list of

Fig 3. Possibilit ies of password cracking attacks

Furkan tari et al. proposed innovative studies on
shoulder surfing techniques in password
cracking. Shoulder surfing is an alternative
name of spying in which the attacker spies the

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 11

users movements to get his/ her password. In

this type of attack, the attacker observes the
user; how he entered the password i.e. what
keys of keyboard the user has pressed.
password and can access to the targeted
system. There were many variat ions of
shoulder surfing i.e. the attacker can use
binoculars to see the user entering the pass
word from a distance. The attacker can use the
hidden close circuit TV camera to observe the or
miniature
camera.
Shoulder-surfing
is
considered a form of social engineering that is
gaining more and mo re importance as devices
such as video camcorders and even cellular
phones with audio -visual capabilit ies become
more affo rdable to consumers.
Aaron dolan et al. discussed about the concept
of social engineering in password cracking.
Social engineering is using relationships with
people to attain a goal. Unfortunately, when it
comes to the security of an organization's data
and infrastructure, social engineering can be as
bad as 'knowing the right people' can be good.
Social engineers use tactics to leverage trust,
helpfulness, easily attainable information,
knowledge of internal processes, authority,
technology and
any combination there of. Being that humans
are generally polite, fo llo wing someone in to a
corporate office can be very simp le. At large
organizations most employees do not know
every emp loyee or recognize every face and
are usually more than happy to hold a door for
someone. Once in, the social engineer can gain
a great deal of information fro m just walking by
the workspaces of employees who have
stepped away.
Predrag tasevski et al. talks about hybrid attacks
on password cracking. This is a co mmon
method utilized by users to change passwords is
to add a number or symbol to the end. A hybrid
attack wo rks like a dict ionary attack, but adds
simple numbers or symbols to the password

attempt. A Hybrid dictionary attack is a

combination of a brute-force attack and a Dict
ionary attack. A Hybrid Dictionary attack takes a
Dict ionary as input and appends brute-forced
strings to each entry of the Dictionary.
Therefore for each string in the Dict ionary, this
attack produces several other strings such that
a Dict ionary entry apple produces
111apple, 112apple up to 999apple for a
brute-force that pre-pends three numbers to
each entry. A Hybrid Dictionary attack also
results in an exponential increase computations
and time based on the amount of characters to
be concatenated with the Dictionary entries.
Mudassar raza et al. discussed about phishing
attacks which is a web based attack in which
the attacker redirects the user to a fake website
to get passwords of the user. To explain
Phishing, suppose a user wants to open website
say
www.yahoo.com. The attacker redirects the
user to another website e.g. www.yah0o.co m
whose interface was similar to that of the
original website to disguise the user. The user
then enters the login information which is
retrieved by the attacker. The attacker then
redirects the user to the original website and
logins the user with the orginal website.
Waqas haider et al. discussed password
cracking strategies based on keystroke
dynamics. The key stroke dynamics (also called
the typing dynamics) records the key press and
key timings. It does not deal with what the
user has entered the password; it deals with
how the user entered the password.
The Key Stro ke Dynamics stores the follo wing
time patterns of the user along with the
conventional password.

Time between the key pressed and

release

Time between the two keys pressed

The name of the key pressed

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 12


Bio metric password entering rhythm of
individual users
Advantages of key stroke dynamics include that
no need of extra hardware, only good
programming skills are required to imp lement
such authentication system. It resists to
password attacks like shoulder surfing, phishing,
key loggers etc. Also the attacker cannot get
into the system even if he/she gets the
password. Disadvantages of Key Stro ke
Dynamics include that password rejection rate
is high due to different levels of typing speed of
users.
IV.

then the image based on these extracted

features is matched with database.There are
many types of biometrics based authentication

Finger print authentication

Face Recognition

Signature Verificat ion

Speech recognition
Iris recognition etc.

Advantages of such schemes include that it

involves real and unique signatures and it
cannot be stolen .

PREVENTION TACTICS

After studying about certain pass word cracking

strategies, this paper introduces certain
prevention tactics against these attacks.
Computer security depends largely on
passwords in order to authenticate human
users.
A.

Graphical passwords

In this scheme, the user first enters the user

name to login. After that some graphical objects
are displayed, which are necessary to be
selected by the user. These selected objects are
then drawn by the user using mouse, touch
screen or stylus. The system performs
preprocessing on the user drawn objects and
converts the sketches into hierarchical form. At
last hierarchical matching is performed for user
authentication.

Fig 4. Graphical password pattern

Advantages included reduced shoulder surfing

and it is
a
more secure authentication.
B. Biometrics
Bio metrics is also used as authentication
procedure
in
which the recognition is based upon image
processing. In this case to verify an image,
preprocessed to extract features fro m it and

Fig 5. biometrics

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 13

C.

Click patterns

Click Patterns is a type of mouse based

password entering scheme. In this type of
password scheme, the user is provided with a
click pad on the screen. The click pad can
contain different
color grids or it can be
the combination of different costly and difficult
symbols. The user can mislead the attacker by
using the click pattern as a password. Along
with the patterns, the click pattern scheme also
tracks the user clicking rhythm. Advantages of
Click Patterns include that it does not require
extra hardware and it is resistant to password
instead of pressing exact button for password,
user is prompted to select the location of the
password words .
D. Salts
In cryptography,
a salt is random data
that is used as
an additional input to a
one-way function that hashes a password or
passphrase. The primary
function
of
salts is to defend against
dictionary
attacks and
pre-computed rainbow table
attacks. A new salt is randomly generated
for
each password. In a typical setting, the
salt and the password are concatenated and
processed
with a cryptographic hash
function, and the resulting output (but not
the original password) is stored with the salt in
a database. Hashing allows for later
authentication while defending against
compromise of the plaintext password in the
event that the
database is somehow
compro mised. A public salt makes it mo re
time- consuming to crack a list of passwords.
However, it does not make dict ionary attacks
harder when cracking a single password. The
attacker has access to both the hashed
password and the salt, so when running the
dictionary attack, the attacker can simply use
the known salt when attempting to crack the
password.
A common mistake is to use the same salt in
each hash. Either the salt is hard-coded into the
program, or is generated randomly once. This is

ineffective because if two users have the same

password, they'll still have the same hash.
An attacker can still use a reverse lookup table
attack to run a dictionary attack on every hash
at the same time.
They just have to apply the salt to each
password guess before they hash it. If the salt
is hard-coded into a popular product, lookup
tables and rainbow tables can be built for that
salt, to make it easier to crack hashes
generated by the product. A new random
salt must be generated each time a user
creates an account or changes their password.

Fig 6.prevention against password cracks

V.

CONCLUSION

There are many methods and techniques can

conduct password cracking, in on-line or offline
environ ment. The tools that can guess the
passwords for differential goals, and certain
prevention tactics are presented here. This
paper also focused on finding and documenting
the commonly available attacks on passwords.
After analyzing all cracking strategies this paper
enforce users to select passwords easy to
remember but hard to guess.

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 14

VI.

implementing rainbow tables on nVidia graphics

cards (IseCrack)

ACKNOW LEDGEM ENT

This material is based upon work supported

under a National Conference on Christ
Knowledge City, NATCCOM2K14. Any opinions,
findings, conclusions or recommendations ex
pressed in this publication are those of the
authors and do not necessarily reflect the views
of the National Conference.
VII.

REFERENCES

[1]
S M Taiabul Haque and Matthew
Wright A Study of User Password
Strategy for Multiple Accounts in International
Journal of Computer Applications (0975 8887)
Volume 68 No.3
[2]
Arvind Narayanan and Vitaly Shmatikov
Fast Dictionary Attacks on Passwords Using T
ime-Space Tradeoff in The University of Texas
at
Austin {arvindn,shmat}@cs.utexas.edu
[3]
Mudassar Raza, Muhammad Iqbal,
Muhammad Sharif and Waqas Haider A
Survey of Password Attacks and Comparative
Analysis on

[7]
ARASH HABIBI LASHKARI Shoulder
Surfing attack in graphical password
authentication in (IJCSIS) International Journal
of Computer Science and Information Security,
Vol. 6, No. 2, 2009
[8]
Ahmad Alamgir Khan Preventing
Phishing Attacks using One T ime
Password and User Machine Identification in
International Journal of Computer Applications
(0975 8887) Volume 68 No.3, April 2013
[9]
D. Florencio and C. Herley. A largescale study of web password habits. In
Proceedings of the 16th international
conference on World Wide Web, pages 657
666, May 2007.
[10]
Haider, S., A. Abbas and A.K. Zaidi,
2000. A Mult i Technique Approach for User
Identification through Keystroke Dynamics,
2000 IEEE International Conference on Systems,
Man and Cybernetics

Methods for Secure Authentication in Comsats

Institute of Information Technology, Wah Cantt
., 47040, Pakistan.
[4]
Jim Owens and Jeanna Matthews A
Study of Passwords and Methods Used in BruteForce SSH Attacks in Department of Computer
Science Clarkson University 8 Clarkson Avenue,
MS 5815 Potsdam, NY 13699 {owensjp,
jnm}@clarkson.
[5]
Learn Security Online, Inc. Rainbow
T ables & RainbowCrack Introduction
[6]
Russell
performance

Edward Graves
password
cracking

High
by

All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)

Page 15