Password Cracking 101

LESSON ACTIVITY

2.3 Mitigation

If you want to prevent an attacker from using passwords they have stolen against you, there are a
few steps an organization or user can take. The first step you or your organization can take is to
implement multi-factor authentication (MFA. The simplest way to think about MFA is using
something you know, something you own, or something you are to perform authentication. The
"something you own" can be an authenticator service on your smartphone or a physical device such
as a yubico key. The "something you know" would be your password. Adding the layer of "something
you own" strengthens your defenses by increasing the difficulty of leveraging a compromised
password. If required in your organization, biometrics can be used to add a layer known as
"something you are" The next step you or your organization should take to prevent a stolen password
from being used against you is to increase your password's complexity/length requirements.
Increasing a password's complexity and length will make it more difficult for an attacker to brute
force or find it in a word list. For example, a password such as "passwordPASSWORD" would be
found easily in a word list and take only 3 minutes to brute force. A password such as "1qaz!QAZ"
may seem like a complex enough password because it contains a special character, a number, and
upper and lowercase letters. However, due to its length, it would only take 2 hours to brute force. A
password such as "CASHEWf1veC4B3Rh@mmer" would not be listed in any word lists due to it being
combinations of random words that have had letters replaced with special characters and numbers.
Additionally, the length of the password increases the time required to brute force it. The
combination of complexity and length results in a password that requires 7332 centuries to brute
force. Lastly, do not store your passwords in cleartext. If you maintain a user database, all the
passwords located within that database should be hashed and salted. If you do need to implement
salting, there are two common mistakes that you must avoid. The first is to avoid using a hardcoded
salt. If an attacker identifies what variable is being used to salt the user's passwords, they can then
generate a rainbow table to crack all the passwords located in the database. The second thing to
avoid is a short salt. An attacker can create a rainbow table consisting of every possible salt
appended to every likely password if the salt is short enough. However, if a long salt is used in a
database, the rainbow table for that database would be prohibitively large. Implementing MFA,
increasing your password complexity and length, salting your passwords, and testing your password
hashes with what you learned in this lesson can help you strengthen your security posture. Use your
new skills and knowledge, you awesome person, and HACK THE PLANET!