Password Cracking & Generation Security

TL;DR

Yes, a password cracker can reverse engineer your generation method if it’s predictable or uses common patterns. To protect yourself, use strong, random methods and avoid easily guessable information. Salting and key stretching are essential for secure storage.

Understanding the Risk

Password crackers don’t just try every possible combination (brute-force). They analyse existing passwords (often from data breaches) to identify patterns in how people create them, and then focus on those patterns. If your password generation is weak, a cracker can quickly figure it out.

Steps to Improve Password Generation Security

1. Use a Cryptographically Secure Random Number Generator (CSPRNG)
   • Don’t rely on simple rand() functions. These aren’t strong enough for security purposes.
   • In Python, use the secrets module:

     import secrets
     random_number = secrets.randbelow(10) # Generates a random number between 0 and 9

   • In other languages, look for equivalent CSPRNGs (e.g., /dev/urandom on Linux/Unix systems).
2. Increase Password Length
   • Longer passwords take exponentially longer to crack.
   • Aim for at least 12 characters, and preferably more (16+ is recommended).
3. Use a Variety of Characters
   • Include uppercase letters, lowercase letters, numbers, and symbols.
   • Avoid predictable sequences or patterns.
4. Avoid Dictionary Words & Personal Information
   • Crackers use wordlists based on common words, names, dates, etc.
   • Don’t base passwords on your name, birthday, pet’s name, or anything easily associated with you.
5. Consider a Password Manager
   • Password managers generate and store strong, unique passwords for each site.
   • They also handle the complexity of remembering multiple passwords.

Securing Stored Passwords (Important!)

Even if you generate a strong password, it’s vulnerable if stored incorrectly. Never store passwords in plain text!

1. Hashing
   • Use a strong hashing algorithm like bcrypt, Argon2, or scrypt.
   • These algorithms transform the password into an irreversible string of characters.

     # Example using Python and bcrypt (requires installation: pip install bcrypt)
     import bcrypt
     hashed_password = bcrypt.hashpw(b'your_password', bcrypt.gensalt()) 
     print(hashed_password)

2. Salting
   • A salt is a random string added to the password before hashing.
   • This prevents attackers from using pre-computed tables of common passwords (rainbow tables).
   • The salt should be unique for each password.
3. Key Stretching
   • Key stretching repeatedly hashes the password, making it more computationally expensive to crack.
   • bcrypt, Argon2 and scrypt all incorporate key stretching.

Checking Password Strength

Tools can help you assess your password’s strength:

• pwscore (Linux): A command-line tool for evaluating password quality.

  pwscore your_password

• Online Password Checkers: Many websites offer password strength analysis, but be cautious about entering sensitive passwords on untrusted sites.