Password Cracking & Encryption Security

G5 Cyber Security

2 weeks ago

TL;DR

Your password encryption is likely vulnerable to attacks. This guide shows you how attackers crack passwords and what steps you can take to improve your security, including using strong passwords, multi-factor authentication (MFA), salting & hashing, key stretching, and regularly updating software.

Understanding the Attacks

Attackers don’t usually try to break encryption directly. They focus on cracking the passwords used to encrypt/decrypt data. Here are common methods:

Brute-Force Attack: Trying every possible password combination until the correct one is found.
Dictionary Attack: Using a list of common passwords and variations.
Rainbow Table Attack: Precomputed tables of hashes to quickly find passwords.
Credential Stuffing: Using stolen usernames and passwords from other breaches.

How Password Cracking Works

When you enter a password, it’s not stored directly. Instead, a hash is created. A hash is a one-way function – easy to compute the hash from the password, but very difficult to get the password back from the hash.

Attackers try to find passwords that produce the same hash as those in your system’s database.

Steps to Improve Password Encryption Security

Use Strong Passwords:

Minimum 12 characters, ideally longer.
Mix uppercase and lowercase letters, numbers, and symbols.
Avoid personal information (birthdays, names).
Use a password manager to generate and store strong passwords.

Enable Multi-Factor Authentication (MFA):

Adds an extra layer of security beyond just the password. Examples include codes sent to your phone or authenticator apps.

Salt & Hash Passwords:

Salting adds a unique random string to each password before hashing. This makes rainbow table attacks much harder because attackers need to create separate tables for each salt.

# Example (Python - using hashlib)

import hashlib
import os

def hash_password(password):
  salt = os.urandom(16)
  salted_password = salt + password.encode('utf-8')
  hashed_password = hashlib.sha256(salted_password).hexdigest()
  return salt.hex() + ':' + hashed_password

def verify_password(entered_password, stored_hash):
    salt, hashed_password = stored_hash.split(':')
    salt = bytes.fromhex(salt)
    salted_password = salt + entered_password.encode('utf-8')
    new_hashed_password = hashlib.sha256(salted_password).hexdigest()
    return new_hashed_password == hashed_password

Key Stretching:

Repeatedly hashing the password multiple times (e.g., using PBKDF2, bcrypt, scrypt) makes brute-force attacks slower and more resource-intensive.

# Example (Python - using bcrypt)

import bcrypt

def hash_password_bcrypt(password):
  hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
  return hashed.decode('utf-8')

def verify_password_bcrypt(entered_password, stored_hash):
  return bcrypt.checkpw(entered_password.encode('utf-8'), stored_hash.encode('utf-8'))

Regularly Update Software:

Software updates often include security patches that fix vulnerabilities.

Limit Password Reuse:

If one account is compromised, attackers can try the same password on other services.

Monitor for Breaches:

Use websites like Have I Been Pwned? to check if your email address has been involved in data breaches.