Feb 26, 2025The Hacker NewsIdentity Protection / Password SecurityPasswords are rarely appreciated until a security breach occurs; suffice to say, the importance of a strong password becomes clear only when faced with the consequences of a weak one. However, most end users are unaware of just how vulnerable their passwords are to the most common password-cracking methods. The following are the three common techniques for cracking passwords and how to defend against them.Brute force attackBrute force attacks are straightforward yet highly effective techniques for cracking passwords. These attacks involve malicious actors using automated tools to systematically try every possible password combination through repeated login attempts. While such tools have existed for years, the advent of affordable computing power and storage has made them even more efficient today, especially when weak passwords are used.How it worksWhen it comes to brute force attacks, malicious actors employ a range of tacticsfrom simple brute force attacks that test every possible password combination to more nuanced approaches like hybrid and reverse brute force attacks. Each method has a distinct strategy behind it, but the motives behind brute force attacks are the same: to gain unauthorized access to protected data or resources.Some popular automated tools for carrying out brute force attacks include:John the Ripper: a multiplatform password cracker with support for 15 different operating systems and hundreds of hashes and cipher typesL0phtCrack: a tool that uses rainbow tables, dictionaries, and multiprocessor algorithms to crack Windows passwordsHashcat: a cracking/password recovery utility that supports five unique modes of attack for over 300 highly-optimized hashing algorithmsExamplesBack in August 2021, U.S. mobile operator T-Mobile fell victim to a data breach that started with a brute force attack. The security compromise resulted in the exposure of over 37 million customer records containing sensitive data like social security numbers, driver's license information, and other personally identifiable data.Defense measuresUsers should choose strong, complex passwords and multi-factor authentication (MFA) to protect against brute force attacks. Administrators should implement account lockout policies and continuously audit their Windows environments for weak and breached passwords. Tools like Specops Password Auditor can automate these processes across expansive IT environments.Dictionary attackIn a password dictionary attack, cyber attackers try to gain access by using a list of common passwords or words from a dictionary. This predefined word list typically includes the most often used words, phrases, and simple combinations (i.e., "admin123"). Password dictionary attacks underscore the importance of complex, unique passwords, as these attack types are especially effective against weak or easily guessable passwords.How it worksThe process starts with compiling a list of potential passwords from data breaches, common password lists, or publicly available resources. Using an automated tool, malicious actors perform a dictionary attack, systematically testing each password against a target account or system. If a match is found, the hacker can gain access and carry out subsequent attacks or movements.ExamplesMalicious actors used password dictionaries to crack hashed passwords in several high-profile security incidents, such as the 2013 Yahoo data breach and the 2012 LinkedIn data breach. This allowed them to steal the account information of billions of users.Defense measuresWhen creating or resetting passwords, users should use a combination of letters, numbers, and special characters, and avoid using common words or easily guessable phrases. Administrators can implement password complexity requirements in their policies to enforce these mandates across the organization. Rainbow table attacksA rainbow table attack uses a special table (i.e., a "Rainbow Table) made up of precomputed strings or commonly used passwords and corresponding hashes to crack the password hashes in a database.How it worksRainbow table attacks work by exploiting chains of hashing and reduction operations to efficiently crack hashed passwords. Potential passwords are first hashed and stored alongside their plaintext counterparts in the rainbow table, then processed with a reduction function that maps them to new values, resulting in a chain of hashes. This process is repeated multiple times to build the rainbow table. When hackers obtain a hash list, they can reverse lookup each hash value in the rainbow tableonce a match is identified, the corresponding plaintext password is exposed.ExamplesWhile salting (a method of adding random characters to passwords before hashing) has reduced the effectiveness of rainbow table attacks, many hashes remain unsalted; additionally, advances in GPUs and affordable hardware have eliminated the storage limitations once associated with rainbow tables. As a result, these attacks continue to be a likely tactic in current and future high-profile cyber-attacks.Defense measuresAs mentioned previously, salted hashes have significantly reduced the effectiveness of precomputed tables; organizations should therefore implement strong hashing algorithms (e.g., bcrypt, scrypt) in their password processes. Administrators should also regularly update and rotate passwords to reduce the likelihood of rainbow table dictionary matches/hits.In short, passwords aren't perfect, but complex and sufficiently long passphrases remain a vital first line of defense against advanced password-cracking techniques. Tools like Specops Policy provide an extra layer of protection by continuously scanning Active Directory against a database of over 4 billion breached passwords. Contact us for a free demo today.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE