TL;DR
Passphrases are generally stronger than passwords, but aren’t immune to attack. This guide covers techniques attackers use – from dictionary and rule-based attacks to more sophisticated methods like frequency analysis and mutation fuzzing – and how to defend against them.
Attacking Passphrases: A Step-by-Step Guide
- Understand the Difference
- Passwords are typically random strings.
- Passphrases are sequences of words, making them longer and more memorable. This length is their strength, but also creates vulnerabilities.
- Basic Attacks: Dictionary & Rule-Based
- These attacks work against weak passphrases – common phrases or variations of words.
- Tools like John the Ripper and Hashcat are commonly used.
- Example (Hashcat rule for adding numbers):
$1$abcdefg1234567890This adds sequential numbers to a dictionary word.
- Wordlist Generation: Expanding the Attack Surface
- Attackers create custom wordlists based on target information (e.g., hobbies, interests, location).
- Tools like Crunch can generate lists of possible words and combinations:
crunch 3 8 -d @/usr/share/wordlists/rockyou.txtThis generates all 3-8 character combinations from the rockyou wordlist.
- Frequency Analysis
- Passphrases often use common words in predictable order. Attackers analyse text corpora to identify likely word sequences.
- This is more effective with longer passphrases where the overall structure becomes apparent.
- Tools can automatically generate potential passphrases based on frequency data.
- Mutation Fuzzing
- Starts with a known passphrase (or seed words) and systematically mutates it to create variations.
- Mutations include:
- Capitalisation changes
- Adding numbers or symbols
- Replacing words with synonyms
- Inserting common separators (spaces, hyphens, underscores)
- Contextual Attacks
- Exploits information about the user or system.
- Example: If a user mentions their pet’s name and birth year publicly, attackers will try combinations like “petname birthyear”.
- Social engineering plays a key role in gathering this context.
- Hybrid Attacks
- Combines multiple techniques for increased effectiveness.
- Example: Using frequency analysis to generate a wordlist, then applying rule-based mutations.
- GPU Acceleration
- Password cracking is computationally intensive. GPUs significantly speed up the process.
- Hashcat supports GPU acceleration for faster cracking.
- Defending Against Passphrase Attacks
- Length is Key: Encourage passphrases of at least 12-16 words.
- Randomness: Avoid predictable word sequences or common phrases.
- Complexity: Include a mix of uppercase, lowercase, numbers and symbols (but prioritise length).
- Password Managers: Generate and store strong passphrases securely.
- Multi-Factor Authentication (MFA): Adds an extra layer of security even if the passphrase is compromised.
- Regular Monitoring: Look for breached credentials in data leaks.