Abstract
At its heart, a password cracking attack is a modeling problem. An attacker makes guesses about a user’s password until they guess correctly or they give up. While the defender may limit the number of guesses an attacker is allowed, a password’s strength often depends on how hard it is for an attacker to model and reproduce the way in which a user created their password. If humans were effective at practicing unique habits or generating and remembering random values, cracking passwords would be a near impossible task. That is not the case, though. A vast majority of people still follow common patterns, from capitalizing the first letter of their password to putting numbers at the end. While people have remained mostly the same, the password security field has undergone major changes in an ongoing arms race between the attackers and defenders. The goal of this chapter is to highlight the current state of password cracking techniques, as well as discuss some of the cutting edge approaches that may become more prevalent in the near future.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bicchierai L (2016) You can now look up your terrible 2006 myspace password motherboard. http://motherboard.vice.com/read/myspace-data-breach-427-million-passwords-available-online. Accessed 29 June–17 Nov 2016
Chi Z (1999) Statistical properties of probabilistic context-free grammars
Crenshaw A (2015) Of history & hashes: a brief history of password storage, transmission, & cracking. Trustedsec. https://www.trustedsec.com/may-2015/passwordstorage/. Accessed 29 May 2015
Dürmuth M, Angelstorf F, Castelluccia C (2015) OMEN: faster password guessing using an ordered markov enumerator. In: International symposium on engineering secure software and systems. Springer International Publishing
Gosney J (2016a) 8x Nvidia GTX 1080 hashcat benchmarks. github.com. https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40. Accessed Nov 2016
Gosney J (2016b) How linkedin’s password sloppiness hurts us all. Ars Technica. http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/. Accessed 1 June–17 Nov 2016
Graves A (2013) Generating sequences with recurrent neural networks. arXiv preprint arXiv:1308.0850
Hayes K (2016) My brute force framework. github.com. https://github.com/MooseDojo/myBFF
Hopcroft JE, Motwani R, Ullman JD (2006) Introduction to automata theory, languages, and computation, 3rd edn. Springer, Boston
Houshmand S, Aggarwal S (2012) Building better passwords using probabilistic techniques. ACM Press, New York, p 109
Houshmand S, Aggarwal S, Flood R (2015) Next gen PCFG password cracking. IEEE Trans Inform Forensic Secur 10:1776–1791
Jurafsky D, Martin J (2000) Speech and language processing: an introduction to natural language processing, computational linguistics, and speech recognition, 1st edn. Prentice Hall, NJ
Kacherginsky P, Password analysis and cracking kit. The Spawl. http://thesprawl.org/projects/pack/. Accessed 8 Aug 2013, 17 Nov 2016
Kawa S, Porter T (2016) Wordsmith. porterhau5.com. http://porterhau5.com/projects/wordsmith/. Accessed 5 Aug–17 Nov 2016
Li Y, Wang H, Sun K (2016) A study of personal information in human-chosen passwords and its security implications. In: INFOCOM
Ma J, Yang W, Luo M (2014) A study of probabilistic password models. In: IEEE symposium on security and privacy
Melicher W et al. (2016) Fast, lean, and accurate: modeling password guessability using neural networks. In: Usenix
Musil S (2012) Hackers post 450 K credentials pilfered from Yahoo. CNET. https://www.cnet.com/news/hackers-post-450k-credentials-pilfered-from-yahoo/. Accessed 11 July 2012
Narayanan A, Shmatikov V (2005) Fast dictionary attacks on passwords using time-space tradeoff. In: ACM conference on computer and communications security
Oechslin P (2003) Making a faster cryptanalytic time-memory. In: Advances in cryptology—CRYPTO 2003
Peslyak A (2016) John the Ripper. Openwall. http://www.openwall.com/john/
Philippe J (2015) Password hashing competition. password-hashing.net. https://password-hashing.net/. Accessed 06 Dec 2015
Prescher D (2004) A tutorial on the expectation-maximization algorithm including maximu-likelihood estimation and em trainng of probabilistic context-free grammars
Rabiner L (1988) A tutorial on HMM and selected applications in speech recognition
Steube J (2016) Hashcat. https://hashcat.net/hashcat/
Stuebe J (2016) Kwprocessor. github. https://github.com/hashcat/kwprocessor. Accessed
Sustkever I, Martens J (2011) Generating text with re-current neural networks. In: Proceedings of the international conference on machine learning
Truecrypt (2016) TrueCrypt Sourceforge. http://truecrypt.sourceforge.net. Accessed 8 Nov 2016
Ur Blase et al. (2015) Measuring real-world accuracies and biases in modeling password guessability. In: USENIX. Washington
Vance A (2010) If your password is 123456, just make it HackMe. New York Times 1(21):1
Veras R, Collins C, Thorpe J (2014) On semantic patterns of passwords and their security impact. In: NDSS
Weir M, Aggarwal S, De Medeiros B, Glodek B (2009) Password cracking using probabilistic context-free grammars. In: 30th IEEE security and privacy conference, Oakland. p 14
Weir M, Aggarwal S, Collins M, Stern H (2010) Testing metrics for password creation policies by attacking large sets of revealed passwords. In: CCS, Chicago
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Aggarwal, S., Houshmand, S., Weir, M. (2018). New Technologies in Password Cracking Techniques. In: Lehto, M., Neittaanmäki, P. (eds) Cyber Security: Power and Technology. Intelligent Systems, Control and Automation: Science and Engineering, vol 93. Springer, Cham. https://doi.org/10.1007/978-3-319-75307-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-75307-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75306-5
Online ISBN: 978-3-319-75307-2
eBook Packages: EngineeringEngineering (R0)