What is a password hash?
User passwords are usually not stored in plain text but as so-called hashes. A hash can be described as a digital fingerprint, which is always the same length and independent of the length of the specified password. A digital fingerprint (hash) is realized by a hash function. There are a variety of different hash functions, such as MD5, SHA family, NTLM, bcrypt, PBKDF2, etc.
SHA-256 hash of «password» is.
SHA-256 hash of «Password» is
From a security point of view, cryptographic hash functions have an important property: the hash value can be calculated from the password, but recovering the password from the hash value is like a game of chance.
Tip: Hash functions MD5 and SHA1 are considered cryptographically weak from todays perspective and should no longer be used.
What do I do with password hashes?
Hashes can be intercepted on the internal network using NTLM relaying attack. These hashes can be used for pass-the-hash attacks, for example. However, there are other ways to profitably abuse a password hash, namely by recovering the original plaintext password from the password hash. In technical jargon, this is known as «password cracking».
To increase the robustness of user passwords, every company usually has a so-called password policy. This defines minimum requirements that must be met when choosing a password. For example, the password must be at least 14 characters long and contain at least two digits and special characters. Thus, by means of enforced password policy, an attempt is made to prevent easy-to-guess passwords.
In practice, it is often difficult to subsequently verify compliance with the password policy. For this reason, one simply relies on the common sense of the employees without any audit.
Tip: In general, it is recommended to follow proven standards from NIST, SANS and CIS. Referring to the CIS Password Policy Guide, a minimum password length of 14 characters is recommended.
To replicate the structure of an organization and centrally manage the use of network resources, most companies use Active Directory. The password hashes from the Microsoft Windows Server directory service (Active Directory) - the so-called NTLM hashes - are particularly suitable for a quality analysis of the passwords used. These can be efficiently back-calculated in comparison to the other password hashes by a password cracking attack.
To crack the password hashes in a reasonable time, normal computers are too slow. One needs a computer with high computing power. Such machines are equipped with one or more powerful graphics cards, since modern GPUs can perform computational operations on large amounts of data particularly efficiently. Such a computer can be called a cracking station.
Our experience has shown that up to 80% of user passwords can be cracked during a password cracking operation. Among these users there is a significant percentage of administrators, as well as other privileged roles in the company. Such user accounts are valuable prey for the attacker, because an administrator account has a good chance of spreading across the internal network.
Password cracking service module
It is not directly apparent whether an internal password policy has weaknesses and is being adhered to by employees. With the help of this service module it is possible to find out whether user passwords have the desired robustness and whether the current password policy is adhered to by privileged users.
terreActive has its own cracking station, which has been optimized for offline password cracking attacks. The service module «password cracking»is about recalculating the user passwords from the password hashes.
- The goal of this service module is to find out whether employees - including administrators and other privileged users - comply with the internal password policy.
- Furthermore, it is important to identify whether the current password policy has weaknesses in terms of minimum length or complexity.
- Thus, the quality of the user passwords used is analyzed.
More information in the CIS Password Policy Guide
The cracking process takes place on the customers premises. The terreActive cracking station is lent to the customer for this period. Thereby terreActive takes over the following work: The preparation and execution of the cracking process, the evaluation of results, the preparation of the report, etc. The contribution of the customer is the export of the password hashes from the Active Directory as well as the organization of the secure space for the cracking station.
The cracking station is neither connected to the customer's network nor to the Internet. Thus, the cracking process takes place completely offline.
The evaluation of the results is carried out by terreActive at the customer's site. Great importance is attached to the confidentiality of the processed data. The cracked passwords are evaluated anonymously and affected user accounts are documented. The cracked passwords are neither included in the report nor made available to the customer. The results of the cracking process as well as the provided password hashes will be deleted by terreActive after the evaluation in such a way that they cannot be recovered. In addition, the corresponding hard disk is removed and handed over to the customer.
Tip: Upon request, terreActive optionally offers a lecture on the topic of secure passwords. To better illustrate the problematic nature of passwords, a live demonstration is given showing how a supposedly secure password is cracked by our cracking station within a very short time.
The password cracking service module sheds light on the problem and answers the following questions:
- Is the current password policy being adhered to by employees?
- Does the current password policy have any weaknesses?
- How great is the risk that an employees user account could be compromised?
- Where is there potential for improvement?
Tips and tricks - Try this!
To protect yourself against password cracking attacks, it is recommended to choose the strongest possible passwords. Theoretically, this is quite simple - the password should have a certain complexity, be long and chosen as randomly as possible, so that it neither follows a pattern nor can be found in a dictionary. In practice, however, this leads to users being unable to remember passwords and therefore using simple passwords.
In the following, we will present a few tips and tricks on how to choose a strong password and remember it.
Abbreviations of complete sentences
A long sentence is formed, which is easy to remember. Now only the first letters of each word are used. It is recommended to include at least two special characters and two digits to increase the complexity and thus the robustness of the password. The uppercase letters, numbers and special characters should not be chosen at the beginning or at the end (thus common patterns can be effectively bypassed). In addition, it is recommended to keep a password length of at least 14 characters.
Here is an example: I am going to the cinema tonight at 8pm, because I am not working tomorrow
This results in the following password: Iagttcta8pm,bIanwt
This way it is possible to remember cryptic passwords better. Have fun with your next password choice!
Word combinations peppered with special characters
With this approach the following motto applies: «Length beats complexity». As the name suggests, this is a long password that consists of several words. The password should consist of at least five words. It is important that single words do not come from the same category. (Colors, names, seasons, animals, countries, toys, plants, professions, vehicles, electrical appliances, sports, etc.) In addition, your own first and last name should not appear in the password. Furthermore, it is recommended that a password is composed of several word types such as noun, verb, adjective, etc.
Here are a few examples:
Long passwords are particularly robust and difficult to crack in practice because they are a decent length. Such passwords are difficult to remember, so it is recommended to use a mnemonic device. Here, the first letters of each word are used, thus representing an abbreviation.
Abbreviation for above mentioned passwords would be ALEXA, TANJA and DENIS.
In addition, measures should be taken to make it as difficult as possible for an attacker to tap the password hashes within the company network. For this purpose, preventive protection measures have to be implemented, which depend on the used network protocols and systems and are therefore very customer specific. terreActive can support you with a site assessment, where security risks are specifically considered for exposed hashes.Get more security today, just ask.