However, these can only be dubiously accurate. The only way to really test the security of your passwords is to try to break them.
So today, we’re going to do just that. I’m going to show you how to use a tool that real hackers use to crack passwords, and show you how to use it to check yours. And, if it fails the test, I’ll show you how to pick safer passwords that will hold up.
Setting Up Hashcat
The tool we’re going to be using is called Hashcat. Officially, it’s intended for password recovery, but in practice this is a little like saying BitTorrent is intended to download uncopyrighted files. In practice, it’s often used by hackers trying to break passwords stolen from insecure servers. As a side effect, this makes it a very powerful way to test password security.
Note: this tutorial is for Windows. Those of you on Linux can check out the video below for an idea of where to get started.
You can get Hashcat from the hashcat.net web page. Download and unzip it to your downloads folder. Next up, we’re going to need get some ancillary data for the tool. We’re going to acquire a word-list, which is basically a huge database of passwords that the tool can use as a starting point, specifically the rockyou.txt data set. Download it, and stick it in the Hashcat folder. Make sure it’s named ‘rockyou.txt’
That’s it! You’re done.
A People’s History of the Hacker Wars
Before we actually use this application, let’s talk a little bit about how passwords actually get broken, and how we got to this point.
Way back in the misty history of computer science, it was standard practice for websites to store user passwords in plain text. This seems like it makes sense. You need to verify that the user sent in the correct password. An obvious way to do that is to keep a copy of the passwords on hand in a little file somewhere, and check the user’s submitted password against the list. Easy.
This was a huge disaster. Hackers would gain access to the server via some devious tactic (like asking politely), steal the password list, log in, and steal everyone’s money. As security researchers picked themselves up from the smoking wreckage of that disaster, it was clear that we needed to do something different. The solution was hashing.
For those not familiar, a hash function is a piece of code that takes a piece of information and scrambles it up mathematically into a fixed-length piece of gibberish. This is called ‘hashing’ the data. What’s cool about them is that they only go in one direction. It’s very easy to take a piece of information and figure out its unique hash. It’s very hard to take a hash and find a piece of information that generates it. In fact, if you use a random password, you have to try every possible combination in order to do it, which is more or less impossible.
Those of you following along at home might notice that hashes have some really useful properties for password applications. Now, instead of storing the password, you can store the hashes of the passwords. When you want to verify a password, you hash it, delete the original, and check it against the list of hashes. Hash functions all deliver the same results, so you can still verify they submitted the correct passwords. Crucially, the actual plaintext passwords are never stored on the server. So, when hackers breach the server, they can’t steal any passwords – only useless hashes. This works reasonably well.
The hackers response to this was to spend a lot of time and energy coming up with really clever ways to reverse hashes.
How Hashcat Works
We can use several strategies for this. One of the most robust is the one that Hashcat uses, which is to notice that users aren’t very imaginative and tend to pick the same sorts of passwords.
For example, most passwords consist of one or two English words, a couple of numbers, and maybe some “leet-speak” letter replacements or random capitalization. Of the words picked, some are more likely than others: ‘password,’ the name of the service, your username, and ‘hello’ are all popular. Ditto popular pet names, and the current year.
Knowing this, you can start generating very plausible guesses about what different users might have picked, which should (eventually) allow you to guess correctly, break the hash, and get access to their login credentials. This sounds like a hopeless strategy, but remember that computers are ridiculously fast. A modern computer can try millions of guesses per second.
This is what we’ll be doing today. We’ll be pretending that your passwords are in a hash list in the hands of a malicious hacker, and running the same hash-cracking tool that hackers use on them. Think of it as a fire drill for your online security. Let’s see how it goes!
How to Use Hashcat
First, we need to generate the hashes. Open WinMD5, and your ‘password.txt’ file (in notepad). Enter one of your passwords (just one). Save the file. Open it using WinMD5. You’ll see a little box containing the hash of the file. Copy that into your ‘hashes.txt’ file, and save it. Repeat this, adding each file to a new line in the ‘hashes.txt’ file, until you’ve got a hash for every password you routinely use. Then, just for fun, put in the hash for the word ‘password’ as the last line.
It’s worth noting here that MD5 is not a very good format for storing password hashes – it’s quite fast to compute, making brute forcing more viable. Since we’re doing destructive testing, this is actually a plus for us. In a real password leak our passwords would be hashed with Scrypt or some other secure hash function, which are slower to test. By using MD5, we can essentially simulate throwing a lot more processing power and time at the problem than we actually have available.
Next, make sure the ‘hashes.txt’ file has been saved, and bring up Windows PowerShell. Navigate to the Hashcat folder (cd .. goes up a level, ls lists the current files, and cd [filename] enters a folder in the current directory). Now type ./hashcat-cli32.exe –hash-type=0 –attack-mode=8 hashes.txt rockyou.txt.
That command basically says “Run the Hashcat application. Set it to work on MD5 hashes, and use a “prince mode” attack (which uses a variety of different strategies to create variations on the words in the list). Try to break entries in the ‘hashes.txt’ file, and use the ‘rockyou.txt’ file as a dictionary.
Hit enter, and accept the EULA (which basically says “I pinky swear I won’t hack anything with this”), and then let it run. The hash for password should pop up in a second or two. After that, it’s just a question of waiting. Weak passwords will turn up within minutes on a fast, modern CPU. Normal passwords will pop up in a couple of hours to a day or two. Strong passwords can take a very long time. One of my older passwords was broken in under ten minutes.
You can leave this running for as long as you feel like. I suggest at least overnight, or on your PC while you’re at work. If you make it 24 hours, your password is probably strong enough for most applications – though this is not a guarantee. Hackers may be willing to run these attacks for a long time, or have access to a better wordlist. If in doubt about your password security, get a better one.
My Password Was Broken: Now What?
More than likely, some of your passwords didn’t hold up. So how can you generate strong passwords to replace them? As it turns out, a really strong technique (popularized by xkcd) is pass-phrases. Open a the nearest book, flip to a random page, and put your finger down on a page. Take the nearest noun, verb, adjective, or adverb, and remember it. When you have four or five, mush them together with no spaces, numbers, or capitalizations. DO NOT use “correcthorsebatterystaple”. It’s unfortunately become popular as a password, and is included in many wordlists.
One example password that I just generated from a science fiction anthology that was sitting on my coffee table is “leanedsomeartisansharmingdarling” (don’t use this one, either). This is a lot easier to remember than an arbitrary string of letters and numbers, and is probably more secure. Native English speakers have a working vocabulary of about 20,000 words. As a result, for a sequence of five randomly chosen common words, there are 20,000^5, or about three sextillion possible combinations. This is well beyond the grasp of any current brute force attack.
In contrast, a randomly chosen eight-character password would be synthesized in terms of characters, with about 80 possibilities including upper case, lower case, numbers, characters, and spaces. 80^8 is only a quadrillion. That still sounds big, but breaking it is actually within the realm of possibility. Given ten high-end desktop computers (each of which can do about ten million hashes per second), that could be brute-forced in a few months – and the security totally falls apart if it’s not actually random. It’s also much harder to remember.
Another option is to use a password manager, which can generate secure passwords for you on the fly, all of which can be ‘unlocked’ using a single master password. You still have to pick a really good master password (and if you forget it, you’re in trouble) – but if your password hashes are leaked in a website breach, you have a strong extra layer of security.
Good password security isn’t very hard, but it does require you to be aware of the issue, and take steps to stay secure. This kind of destructive testing can be a good wakeup call. It’s one thing to know, intellectually, that your passwords might be insecure. It’s another to actually see it pop out of Hashcat after a few minutes.