Passphrase Cracking: Advanced Techniques

TL;DR

Passphrases are generally stronger than passwords, but aren’t immune to attack. This guide covers techniques attackers use – from dictionary and rule-based attacks to more sophisticated methods like frequency analysis and mutation fuzzing – and how to defend against them.

Attacking Passphrases: A Step-by-Step Guide

1. Understand the Difference

• Passwords are typically random strings.
• Passphrases are sequences of words, making them longer and more memorable. This length is their strength, but also creates vulnerabilities.

Basic Attacks: Dictionary & Rule-Based

• These attacks work against weak passphrases – common phrases or variations of words.
• Tools like John the Ripper and Hashcat are commonly used.
• Example (Hashcat rule for adding numbers):

  $1$abcdefg1234567890

  This adds sequential numbers to a dictionary word.

Wordlist Generation: Expanding the Attack Surface

• Attackers create custom wordlists based on target information (e.g., hobbies, interests, location).
• Tools like Crunch can generate lists of possible words and combinations:

  crunch 3 8 -d @/usr/share/wordlists/rockyou.txt

  This generates all 3-8 character combinations from the rockyou wordlist.

Frequency Analysis

• Passphrases often use common words in predictable order. Attackers analyse text corpora to identify likely word sequences.
• This is more effective with longer passphrases where the overall structure becomes apparent.
• Tools can automatically generate potential passphrases based on frequency data.

Mutation Fuzzing

• Starts with a known passphrase (or seed words) and systematically mutates it to create variations.
• Mutations include:
• Capitalisation changes
• Adding numbers or symbols
• Replacing words with synonyms
• Inserting common separators (spaces, hyphens, underscores)

Contextual Attacks

• Exploits information about the user or system.
• Example: If a user mentions their pet’s name and birth year publicly, attackers will try combinations like “petname birthyear”.
• Social engineering plays a key role in gathering this context.

Hybrid Attacks

• Combines multiple techniques for increased effectiveness.
• Example: Using frequency analysis to generate a wordlist, then applying rule-based mutations.

GPU Acceleration

• Password cracking is computationally intensive. GPUs significantly speed up the process.
• Hashcat supports GPU acceleration for faster cracking.

Defending Against Passphrase Attacks

1. Length is Key: Encourage passphrases of at least 12-16 words.
2. Randomness: Avoid predictable word sequences or common phrases.
3. Complexity: Include a mix of uppercase, lowercase, numbers and symbols (but prioritise length).
4. Password Managers: Generate and store strong passphrases securely.
5. Multi-Factor Authentication (MFA): Adds an extra layer of security even if the passphrase is compromised.
6. Regular Monitoring: Look for breached credentials in data leaks.