Pinterest Stumbleupon Whatsapp
Ads by Google

Is your password secure? We’ve all heard a lot of advice about what sorts of passwords you should never pick – and there are various tools that claim to assess the security of your password online Put Your Passwords Through The Crack Test With These Five Password Strength Tools Put Your Passwords Through The Crack Test With These Five Password Strength Tools All of us have read a fair share of ‘how do I crack a password’ questions. It’s safe to say that most of them are for nefarious purposes rather than an inquisitive one. Breaching passwords... Read More . However, these can only be dubiously accurate. The only way to really test the security of your passwords is to try to break them.

So today, we’re going to do just that. I’m going to show you how to use a tool that real hackers use to crack passwords, and show you how to use it to check yours. And, if it fails the test, I’ll show you how to pick safer passwords that will hold up.

Setting Up Hashcat

The tool we’re going to be using is called Hashcat. Officially, it’s intended for password recovery 6 Free Password Recovery Tools for Windows 6 Free Password Recovery Tools for Windows Read More , but in practice this is a little like saying BitTorrent Beat the Bloat! Try These Lightweight BitTorrent Clients Beat the Bloat! Try These Lightweight BitTorrent Clients Guns don’t share illegal files. People share illegal files. Or, wait, how does it go again? What I mean to say is, BitTorrent shouldn't be dissed based on its potential for piracy. Read More is intended to download uncopyrighted files. In practice, it’s often used by hackers trying to break passwords stolen from insecure servers Ashley Madison Leak No Big Deal? Think Again Ashley Madison Leak No Big Deal? Think Again Discreet online dating site Ashley Madison (targeted primarily at cheating spouses) has been hacked. However this is a far more serious issue than has been portrayed in the press, with considerable implications for user safety. Read More . As a side effect, this makes it a very powerful way to test password security.

Note: this tutorial is for Windows. Those of you on Linux can check out the video below for an idea of where to get started.

You can get Hashcat from the hashcat.net web page. Download and unzip it to your downloads folder. Next up, we’re going to need get some ancillary data for the tool. We’re going to acquire a word-list, which is basically a huge database of passwords that the tool can use as a starting point, specifically the rockyou.txt data set. Download it, and stick it in the Hashcat folder. Make sure it’s named ‘rockyou.txt’

Ads by Google

Now we’re going to need a way to generate the hashes. We’ll be using WinMD5, which is a lightweight freeware tool that hashes specific files. Download it, unzip it, and drop it into the Hashcat directory. We’re going to make two new text files: hashes.txt, and password.txt. Put both in the Hashcat directory.

That’s it! You’re done.

A People’s History of the Hacker Wars

Before we actually use this application, let’s talk a little bit about how passwords actually get broken, and how we got to this point.

Way back in the misty history of computer science, it was standard practice for websites to store user passwords in plain text. This seems like it makes sense. You need to verify that the user sent in the correct password. An obvious way to do that is to keep a copy of the passwords on hand in a little file somewhere, and check the user’s submitted password against the list. Easy.

This was a huge disaster. Hackers would gain access to the server via some devious tactic (like asking politely), steal the password list, log in, and steal everyone’s money. As security researchers picked themselves up from the smoking wreckage of that disaster, it was clear that we needed to do something different. The solution was hashing.

For those not familiar, a hash function What All This MD5 Hash Stuff Actually Means [Technology Explained] What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More is a piece of code that takes a piece of information and scrambles it up mathematically into a fixed-length piece of gibberish. This is called ‘hashing’ the data. What’s cool about them is that they only go in one direction. It’s very easy to take a piece of information and figure out its unique hash. It’s very hard to take a hash and find a piece of information that generates it. In fact, if you use a random password, you have to try every possible combination in order to do it, which is more or less impossible.

Those of you following along at home might notice that hashes have some really useful properties for password applications. Now, instead of storing the password, you can store the hashes of the passwords. When you want to verify a password, you hash it, delete the original, and check it against the list of hashes. Hash functions all deliver the same results, so you can still verify they submitted the correct passwords. Crucially, the actual plaintext passwords are never stored on the server. So, when hackers breach the server, they can’t steal any passwords – only useless hashes. This works reasonably well.

The hackers response to this was to spend a lot of time and energy coming up with really clever ways to reverse hashes Ophcrack - A Password Hack Tool to Crack Almost Any Windows Password Ophcrack - A Password Hack Tool to Crack Almost Any Windows Password Read More .

How Hashcat Works

We can use several strategies for this. One of the most robust is the one that Hashcat uses, which is to notice that users aren’t very imaginative and tend to pick the same sorts of passwords.

For example, most passwords consist of one or two English words, a couple of numbers, and maybe some “leet-speak” letter replacements or random capitalization. Of the words picked, some are more likely than others: ‘password,’ the name of the service, your username, and ‘hello’ are all popular. Ditto popular pet names, and the current year.

Knowing this, you can start generating very plausible guesses about what different users might have picked, which should (eventually) allow you to guess correctly, break the hash, and get access to their login credentials. This sounds like a hopeless strategy, but remember that computers are ridiculously fast. A modern computer can try millions of guesses per second.

This is what we’ll be doing today. We’ll be pretending that your passwords are in a hash list in the hands of a malicious hacker, and running the same hash-cracking tool that hackers use on them. Think of it as a fire drill for your online security. Let’s see how it goes!

How to Use Hashcat

First, we need to generate the hashes. Open WinMD5, and your ‘password.txt’ file (in notepad). Enter one of your passwords (just one). Save the file. Open it using WinMD5. You’ll see a little box containing the hash of the file. Copy that into your ‘hashes.txt’ file, and save it. Repeat this, adding each file to a new line in the ‘hashes.txt’ file, until you’ve got a hash for every password you routinely use. Then, just for fun, put in the hash for the word ‘password’ as the last line.

hashes

It’s worth noting here that MD5 is not a very good format for storing password hashes – it’s quite fast to compute, making brute forcing more viable. Since we’re doing destructive testing, this is actually a plus for us. In a real password leak our passwords would be hashed with Scrypt or some other secure hash function, which are slower to test. By using MD5, we can essentially simulate throwing a lot more processing power and time at the problem than we actually have available.

WinMD5Running

Next, make sure the ‘hashes.txt’ file has been saved, and bring up Windows PowerShell. Navigate to the Hashcat folder (cd .. goes up a level, ls lists the current files, and cd [filename] enters a folder in the current directory). Now type ./hashcat-cli32.exe –hash-type=0 –attack-mode=8 hashes.txt rockyou.txt.

That command basically says “Run the Hashcat application. Set it to work on MD5 hashes, and use a “prince mode” attack (which uses a variety of different strategies to create variations on the words in the list). Try to break entries in the ‘hashes.txt’ file, and use the ‘rockyou.txt’ file as a dictionary.

Hit enter, and accept the EULA (which basically says “I pinky swear I won’t hack anything with this”), and then let it run. The hash for password should pop up in a second or two. After that, it’s just a question of waiting. Weak passwords will turn up within minutes on a fast, modern CPU. Normal passwords will pop up in a couple of hours to a day or two. Strong passwords can take a very long time. One of my older passwords was broken in under ten minutes.

hashcatrunning

You can leave this running for as long as you feel like. I suggest at least overnight, or on your PC while you’re at work. If you make it 24 hours, your password is probably strong enough for most applications – though this is not a guarantee. Hackers may be willing to run these attacks for a long time, or have access to a better wordlist. If in doubt about your password security, get a better one.

My Password Was Broken: Now What?

More than likely, some of your passwords didn’t hold up. So how can you generate strong passwords to replace them? As it turns out, a really strong technique (popularized by xkcd) is pass-phrases. Open a the nearest book, flip to a random page, and put your finger down on a page. Take the nearest noun, verb, adjective, or adverb, and remember it. When you have four or five, mush them together with no spaces, numbers, or capitalizations. DO NOT use “correcthorsebatterystaple”. It’s unfortunately become popular as a password, and is included in many wordlists.

One example password that I just generated from a science fiction anthology that was sitting on my coffee table is “leanedsomeartisansharmingdarling” (don’t use this one, either). This is a lot easier to remember than an arbitrary string of letters and numbers, and is probably more secure. Native English speakers have a working vocabulary of about 20,000 words. As a result, for a sequence of five randomly chosen common words, there are 20,000^5, or about three sextillion possible combinations. This is well beyond the grasp of any current brute force attack.

In contrast, a randomly chosen eight-character password would be synthesized in terms of characters, with about 80 possibilities including upper case, lower case, numbers, characters, and spaces. 80^8 is only a quadrillion. That still sounds big, but breaking it is actually within the realm of possibility. Given ten high-end desktop computers (each of which can do about ten million hashes per second), that could be brute-forced in a few months – and the security totally falls apart if it’s not actually random. It’s also much harder to remember. 

Another option is to use a password manager, which can generate secure passwords for you on the fly, all of which can be ‘unlocked’ using a single master password. You still have to pick a really good master password (and if you forget it, you’re in trouble) – but if your password hashes are leaked in a website breach, you have a strong extra layer of security.

Constant Vigilance

Good password security isn’t very hard, but it does require you to be aware of the issue, and take steps to stay secure. This kind of destructive testing can be a good wakeup call. It’s one thing to know, intellectually, that your passwords might be insecure. It’s another to actually see it pop out of Hashcat after a few minutes.

How did your passwords hold up? Let us know in the comments!

  1. KLM Graphics
    October 4, 2015 at 4:53 pm

    Great post, thanks for sharing. Can you pass along to the website owner to please do away with the crap Flash ads and animation! It keep crashing my browser and is making it impossible to read the articles.

    FLASH IS DEAD, LET IT REST IN PEACE PLEASE!

  2. Rob Nightingale
    October 3, 2015 at 6:12 am

    After reading this, I'm so glad I spent a while a few months ago updating all my password :)

  3. Egor Tim
    October 2, 2015 at 8:24 am

    Yeah test my password and add them to database:J

  4. Tommy Hale
    September 29, 2015 at 3:18 pm

    I'm using Win10 and whenever I type the command in I get the following response:
    ./hashcat-cli32.exe : The term './hashcat-cli32.exe' is not recognized as the name of a cmdlet, function, script file,
    or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
    try again.
    At line:1 char:1
    + ./hashcat-cli32.exe –hash-type=0 -attackmode=8 hashes.txt rockyou.txt
    + ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (./hashcat-cli32.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    I tried to locate the cli32.exe on my PC but it was not to be found anywhere.

  5. arrbeejay
    September 26, 2015 at 1:06 pm

    It looks like it needs two dashes before the hash-type, like so:

    ./hashcat-cli64.exe --hash-type=0 -attackmode=8 hashes.txt rockyou.txt

  6. arrbeejay
    September 25, 2015 at 9:14 pm

    Like John, I seem to be getting an error. Please help!

    PS C:\Users\Bob\downloads\hashcat-0.50\hashcat-0.50> ./hashcat-cli64.exe –hash-type=0 –attack-mode=8 hashes.txt rockyou.
    txt
    Initializing hashcat v0.50 with 4 threads and 32mb segment-size...

    ûhash-type=0: No such file or directory
    PS C:\Users\Bob\downloads\hashcat-0.50\hashcat-0.50>

  7. John Rademakers
    September 25, 2015 at 11:02 am

    I followed the instructions but get an error. Does anyone know what I'm doing wrong?

    PS D:\PasswordChecker\HashCat> ./cudaHashcat64.exe -hash-type=0 -attack-mode=8 hashes.txt rockyou.txt
    cudaHashcat v1.37 starting...

    WARNING: Hash 'ûhash-type=0': Line-length exception

    ERROR: No hashes loaded

  8. Wojtek Swiatek
    September 25, 2015 at 9:15 am

    Finally an article about passwords which makes sense. Thank you.

    One comment though: the 20.000 words assumption is too optimistic. The average vocabulary is about 7000 words, which brings the number of 5-words combinations to about 10^19. This is still very good (the 80^8 you mentioned is ~10^15)

  9. Apple Goldworthy
    September 25, 2015 at 7:21 am

    The hashcat.net link returns a 404 error and accessing the webpage from the address bar takes only shows me a download version for Win 7.

    • Vincent Bevort
      September 25, 2015 at 8:03 am

      The Hashcat.net link is written as a relative link which include the makeuseof link. Try typing hasjcat.net in your browsers address field

      • Apple Goldworthy
        September 25, 2015 at 8:25 am

        That produces error 'server not found' in Firefox and Chrome.

  10. Youness Fkhach
    September 24, 2015 at 12:45 am

    i had this error when i past the command in powershell "ûhash-type=0: No such file or directory"

    • Youness Fkhach
      September 24, 2015 at 12:54 am

      i fixed it, the problem was that when i copied the command has two --, but some how the one that's on the post has only one '-'

  11. hildyblog
    September 23, 2015 at 9:41 pm

    Not that I'm paranoid, but I can't help thinking that downloading this file will put you on one or many US government lists, starting with the FBI's, and even visiting the site might get you on the NSA's.

    • hildyblog
      September 23, 2015 at 9:42 pm

      Of course my comment may have already flagged me as a potential black hat subversive.

    • Larry
      September 25, 2015 at 2:40 am

      I agree..

Leave a Reply

Your email address will not be published. Required fields are marked *