Password Cracking 101: Attacks & Defenses Explained

Password Cracking Defined

Password cracking (also called password hacking) is an attack vector that involves hackers attempting to crack or determine a password for unauthorized authentication. Password hacking uses a variety of programmatic techniques, manual steps, and automation using specialized tools to compromise a password. These password cracking tools are referred to as ‘password crackers’. Increasingly, these tools are leveraging AI to improve password cracking speed and efficiency. Passwords can also be stolen via other tactics, such as by memory-scraping malware, shoulder surfing, third party breaches, and tools like Redline password stealer.

A password can refer to any string of characters or secret used to authenticate an authorized user to a resource. Passwords are typically paired with a username or other mechanism to provide proof of identity. This combination is referred to as credentials.

Compromised passwords are involved in most breaches today. In fact, Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches leveraged stolen credentials. And, according to the IBM X-Force Threat Intelligence Index 2024, there was a 71% increase year over year in the volume of attacks using valid credentials. This reflects the trend of attackers shifting to identity-based attacks over traditional vulnerability exploits as the identity attack surface has multiplied and grown by leaps in complexity.

When a compromised account has privileges, the threat actor can easily circumvent other security controls, perform lateral movement, and compromise other passwords. This is why highly privileged credentials are the most important of all credentials to protect. With that said, almost any identity today will have some path to privilege via various SaaS accounts, blurring the definition of what a privileged identity means today.

This in-depth article by BeyondTrust highlights password vulnerabilities and risks that give attackers an edge, and provides an overview of password cracking motives, techniques, tools, and defenses.

Passwords: A Brief History Lesson

Humans have relied on passwords since the early days of civilization. A “Pass Word” was a word that allowed the user to pass a security checkpoint and dates back to the Roman Empire. Unlike today, the password would have been the same for everyone. It wasn’t a proof of identity, but tantamount to a role-based access control. In other words, it represented a ‘claim’ you were authorized for access to the resource, but could not validate your actual identity. The problem is that this method relies entirely on those who know the password to keep it a secret.

Passwords have long been recognized as the Achilles’ heel of identity security, and the death of the password and the emergence of a passwordless future has been predicted for decades. Yet, the number of enterprise identities is on a vertiginous climb, primarily driven by the explosion of machine identities. A Venafi study estimated the number of machine identities at 250,000 per enterprise, following a 41% year-over-year increase. Various other studies in recent years have estimated machine identities outnumber human ones by a ratio of several dozen to 1.

While passwordless approaches are gaining momentum, they remain niche for modern systems, have difficulty being adapted to legacy technology, and often possess password characteristics themselves. However, one welcome shift is that, today, a password is less likely to be used as the sole security mechanism due to technology like biometrics and multifactor authentication (MFA).

Understanding Password Hacking Psychology

Valid credentials (username and password) enable a typical user to authenticate against a resource. If a username is known to threat actors, obtaining the account’s password becomes a hacking exercise.

Often, a threat actor will first target a systems administrator since their credentials may have privileges to directly access sensitive data and systems. Such privileged credentials enable the cybercriminal to move laterally, while arousing little or no suspicion, and even compromise other accounts to maintain persistence. Once a threat actor has compromised credentials, everything privileged to that account is now fair game for the attacker.

Credentials compromised for the most sensitive accounts (domain, database administrator, etc.) can be a “game over” event for some companies. Those accounts, and their credentials, are a prime attack vector for privilege escalation attacks.

Attackers Have the Advantage

Attackers typically hold at least two advantages over defenders:

1. Time on their hands, as they often take a scatter-gun approach to gaining access versus an all-at-once attack that may trip multiple security alarms.
2. Automated password cracking toolsets, increasingly powered by machine learning (M/L) and AI, that will autonomously run the attack using techniques to avoid detection.

Password crackers can try passwords at a slow, measured pace to avoid triggering account lockouts on individual accounts. If a password cracker only tries one password every 10 minutes per account, 100,000 passwords will take a long time. Sensibly, the cyberattacker will try each password against every account they are aware of in potentially a random order (spray attack). This approach is effective because few systems track password attempts across accounts. Even when Security Information and Event Monitoring (SIEM) or User and Entity Behavioral Analysis (UEBA) systems are active, there are limited defensive actions. You can’t lock out every account. Blocking the source IP address will result in a new IP taking up the attack, if it hasn’t already distributed across 100s, or even 1000s, of IP addresses.

The optimal defense against this kind of attack is simply to not use a password on the list. Frequent password changes trigger our laziness, so “password” becomes “p@ssw0rd” and “Password!” Every password cracker is aware of these poor password practices. Replacing letters with numbers and symbols is also a predictable practice. For example, 3 for E, 4 for A and @ for a. Password cracking tools prepare for these common variations.

Attackers seek to learn basic information about password complexity, such as minimum and maximum password length, as well as password complexity. For example, does the password have upper-case and lower-case letters, numbers, symbols, or a combination? Attackers are also interested in learning about restrictions on the passwords. These parameters could be:

• Including an upper-case letter
• Not starting with a number or symbol
• Needing a minimum number of a particular character type or language

By restricting the repetition of characters, these password generation controls reduce the number of combinations the attacker must consider, and thus, undermine a password’s effectiveness. Password hacking tools have options to define these restrictions to expedite the attack process.

For individual users and personal accounts, it’s unlikely this kind of attack is successful. Attacks on a single account are likely to trigger a lock-out. A brute-force attack at a low velocity could literally take forever to find the right login combination, even for relatively short passwords.

Password hacking tools are ideal for automated password guessing of multiple accounts, but equally adept at trawling through data looking for common themes, phrases, and information.

Common Password Attack Methods

In this section, we will look at common password cracking techniques. Some of these techniques may overlap in tools and methodologies. Attackers often blend multiple, complimentary tactics to improve their chances of success.

 Read the whole article here.