Your IT Consultant

Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.

Five Techniques Cybercriminals Use to Crack Passwords

May 11, 2023

Despite efforts to get us to a passwordless world (we’re not there yet), passwords will be a requirement for many systems for several years. To help provide more secure environments, users need to understand how cybercriminals try to access the victim’s accounts. In other words, know thy enemy. To help you understand how passwords are attacked, Bleeping Computer has a post discussing five techniques used to crack passwords. Those techniques include:

  1. Brute Forcing
  2. Dictionary Attack
  3. Credential Stuffing
  4. Weak (Insecure) Password Hashes
  5. Password Cracking Tools
    1. John the Ripper
    1. Hashcat
    1. Ophcrack

Be sure to look at the chart in the Brute Forcing section. The message is clear…length and complexity is more secure. Users can do several things to improve their password hygiene. It’s a good idea to review what you can do and follow the recommendations from NIST. We can’t control how a service stores our credentials, but there is plenty we can control.

  • Ditch the regular password change requirements. Only change passwords if requested explicitly by a user or if a password has been breached.
  • Decrease the arbitrary need for password complexity and focus on overall password length, such as a minimum of 12 characters.
  • All new passwords must be compared against commonly used or previously compromised passwords.
  • Do not reuse passwords across different services to avoid attacks such as credential stuffing.
  • Increased hash security means that even shorter passwords take far longer to crack, such as MD5 vs. PBKDF2.

Email:   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://senseient.com