Password Cracking: Heuristics to Speed Things Up

TL;DR

Brute-force password cracking is slow. Heuristics – smart guesses based on common patterns – significantly speed up the process by focusing efforts on likely passwords first. This guide explains key heuristics and how they’re used.

Understanding Password Cracking & Heuristics

Brute-force attacks try every possible password combination until the correct one is found. This takes a very long time, especially with strong passwords. Heuristics are rules or shortcuts that help us guess more effectively. They don’t guarantee success but dramatically reduce the search space.

Improving Cracking Speed: Common Heuristics

1. Dictionary Attacks:
• Use a pre-made list of common passwords (a dictionary).
• Expand this with variations (capitalisation, numbers, symbols).
• Tools like John the Ripper and Hashcat are excellent for this.
2. Rule-Based Attacks:
• Apply rules to dictionary words to create more possibilities. For example:
  • Capitalize first letter
  • Append numbers (1, 2, 3…)
  • Replace letters with similar characters (‘a’ with ‘@’, ‘e’ with ‘3’)
• Hashcat uses rule files to define these transformations. Example rule file snippet:

  $a = ?d; $l = ?l; $u = ?u; $s = ?s; [0-9]{1,4}

  This rule appends 1 to 4 digits.

3. Combination Attacks:
• Combine dictionary words with common patterns (e.g., year of birth).
• Useful when you have some information about the target.
4. Mask Attacks:
• Define a password pattern using characters and their positions.

  ?d?d?d?d?d?d

  This tries all six-digit passwords.

• ?l?l?l?l?l?l?l?l

  Tries all eight lowercase letter passwords.

• ?u?l?u?l?u?l?u?l

  Alternating uppercase and lowercase letters, 8 characters long.

5. Incremental Attacks:
• Try passwords in sequential order (e.g., aaaa, aaab, aaac…).
• Useful for short, simple passwords but very slow for longer ones.
6. Character Set Based Attacks:
• Specify the characters to use in the password (e.g., lowercase letters only). This reduces the search space.
• Hashcat allows you to define custom character sets.
7. Time-Based Heuristics:
• Target passwords likely based on dates or events (birthdays, anniversaries).
• Combine with dictionary words related to the target’s interests.

Tools & Techniques

John the Ripper and Hashcat are the most popular password cracking tools.

• John the Ripper: User-friendly, good for dictionary attacks.
• Hashcat: More powerful, supports a wider range of heuristics and hardware acceleration (GPUs).

Example Hashcat command using a dictionary attack:

hashcat -m   

(Replace <hash_type> with the hash algorithm, <hash_file> with the file containing the hashes, and <wordlist> with the path to your dictionary.)

Important Considerations

• Salted Hashes: Salts are random values added to passwords before hashing. This makes rainbow tables ineffective and requires cracking each password individually.
• Key Stretching: Algorithms like bcrypt, scrypt, and Argon2 slow down the hashing process, making brute-force attacks more difficult.
• Password Complexity Policies: Strong policies (minimum length, character requirements) significantly increase password strength and reduce cracking success rates.