Want To Find Out How Password Cracking Works?

In this context I’m not actually suggesting you download and run it.  Instead, increase your understanding of the program, and others in the same genre, by reading an excellent article.  Let me explain.

Have you ever wondered how password cracking works?  And why it causes so much of a furore when a web site is discovered to have had its password file hacked into and stolen?  If so, then here’s how it work.

When you choose a password to use on a web site, the site needs to store that password in a database so that it can recognise you when you subsequently log in.  Although some sites do simply store the password itself, this is clearly a security risk.  Therefore, sites tend to store a hash instead.  A hash is the result of putting the password through a special mathematical formula which only works in one direction.  For example, put “Tech’O’nator” through the MD5 hash formula and it comes out as 30e50b429246a05a10b366ee3d4b874f.

The clever bit is that hashing only works in one direction.  There’s no way to start with that hash and work out what password it corresponds to.  So when you log into the web site, and type “Tech’O’nator” as your password, the site hashes it again, and checks whether the hashed version of what you just typed matches the hash in the database.  If so, you are safe to enter.

So how does password cracking work?  And why do experts advise you to never choose a password that appears in a dictionary?

Well, imagine that I hack into a website and steal its database of usernames and hashed passwords.  And then imagine that I search that database of hashes for 0e50b429246a05a10b366ee3d4b874f.  If I find a match, then I know that this particular user has chosen Tech’O’nator as their password.

And so to the article that explains it all in more detail, and is a diary of one person’s attempt to try cracking some passwords.  You’ll find it at http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/1/.  Once you’ve read it, you’ll realise why choosing a strong, long, non-dictionary password makes sense.  Especially on important web sites such as online banks and PayPal.  If you don’t, you’ll now understand the risks much more clearly.


Basic FAQ’s

1. What is an MD5 hash?

  An MD5 hash is created by taking a string of an any length and encoding it into a 128-bit   fingerprint. Encoding the same string using the MD5 algorithm will always result in the same 128-bit hash output. MD5 hashes are commonly used with smaller strings when storing passwords, credit card numbers or other sensitive   data in databases such as the popular MySQL. This tool provides a quick and easy way to encode an MD5 hash from a simple string of up to 256 characters in length.

MD5 hashes are also used  to ensure the data integrity of  files. Because the MD5 hash algorithm always produces the same output for the same given input, users can compare a hash of the source file with a newly created hash of the destination file to check that it is intact and unmodified.

An MD5 hash is NOT encryption. It is simply a fingerprint of the given input. However, it is a one-way transaction  and as such it is almost impossible to reverse engineer an MD5 hash to retrieve the original string.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s