Page 55 - Cyber Defense eMagazine - October 2017
P. 55
How hackers crack passwords
To understand how to construct a strong password, it is important to understand how
hackers crack passwords. In short, the time it takes to crack a password is a function of
three primary things:
1. Key space: the number of different characters which can be used in the
password.
2. Password length: the maximum length of the password.
3. Processing power: the number of passwords which can be generated and
attempted within a period of time, determined in large part by hardware
capability.
There are additional elements such as hashing algorithms and randomness (called
“salting”) which can influence cracking speed. But in general, the three factors above
will still primarily govern the time it takes to crack a password. Approaches towards
storing passwords vary, but while not recommended, the most common approach I’ve
seen is to store the SHA-1 hash (unsalted) of the original password.
Using this approach, I experimented against passwords from an infographic published
by the PCI Security Standards Council entitled: “It’s time to change your password”:
https://www.pcisecuritystandards.org/documents/PCI-Password-
Letter.pdf?agreement=true&time=1502716087229
In this infographic, nine passwords are shown with their respective time to crack the
password. Here’s the list of passwords:
Password Time to Crack
burger instantly
burger1 19 seconds
Burger1 14 minutes
123burger 7 hours
Burger123 39 days
hamburger123 37 years
55 Cyber Defense eMagazine – October 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
