JDPFu.com 2025

Password Cracking Explained

When a professional wants to crack a password, she doesn’t attack it like a normal user typing on a keyboard.

• She uses brains to be as efficient as possible.
• She uses automated software tools to be as efficient as possible.
• She uses the most efficient hardware available for password cracking – usually she has multiple $150 ATI graphics cards performing billions of password attempts every second against an off-line password database. The current cracking systems can try over 30 billion passwords every second.

I saw a professional password cracker speak at a computer security conference. Here’s how a professional cracks passwords:

1. Gets a copy of the encrypted password database – doing this is easier than most people know regardless of platform. Getting the MS-Active Directory User DB seems pretty trivial based on what he said whether he used social engineering or system insecurity methods or a combination.
2. Sets up his $1500 cracking PC password cracking tools – these are freely available.
3. His tools know to try to capitalize all words and try those automatically.
4. His tools know to swap in l33t sp3ak automatically and try those automatically.
5. His tools use rainbow tables when it makes sense. This is less and less useful.
6. Builds a dictionary using the common languages spoken in that location + adding all the company and industry specific jargon. He also takes every password that he’s previously cracked in 5 years of cracking passwords and adds them to his dictionary. Every password database that gets published, he grabs a copy and starts cracking. This becomes a pre-built dictionary that he may have spent a month 24/7 running brute force attacks against.
7. The first attack is a dictionary attack from the built specialized dictionary, swapping in capital and l33t characters where needed. The English language has about 250,000 distinctive words. His cracking machine can try 30 billion passwords every second, so the entire dictionary attack takes 30 minutes to setup and runs in just a few seconds. For a non-trivial password database, this usually discovers 20% of the passwords for a company when they don’t enforce stronger password length and complexity requirements.
8. The 2nd attack is a brute force attack against all passwords from 1 to 7 characters. This attack takes less than 30 minutes and finds between 10 and 20 % more of the passwords. 7 character passwords are not long enough regardless of the alphabet used. In the first hour, he’s cracked 30-40% of the passwords.
9. The 3rd attack adds 1 or 2 numbers to the beginning and ending of each dictionary word. This covers anyone who uses months or years to the beginning or ending of their base password. He also adds punctuation characters to the end. Remember, she/he is being as smart as possible. Running this attack takes longer since the complexity has gone up, but not as long as you’d think. Remember, this is still based on the smart dictionary. It takes the rest of the day and uncovers 20% more of the passwords.

At this point, our cracker friend has uncovered 50-60% of all the passwords in the database. To get more of them, only the most difficult type of attack remains. Brute force. For brute force attacks, size matters to protect your password, assuming we have already used the the largest alphabet possible.

With this knowledge, how do we craft the best password that still meets our end-user needs?

Required – Not in a Dictionary or Generated Dictionary

Now that we know how a password cracker works, we know to avoid using:

• no dictionary words,
• no industry or company jargon,
• no word capitalization,
• beginning with numbers,
• ending with numbers or
• punctuation at the end.

• Fantastically11. would be cracked in the first few hours. Do you see the problem? Even though it is 16 characters and uses upper, lowercase, numbers and special characters, it is part of the normal techniques used by crackers.

Required – A Large Alphabet

• We know that using just numbers in our passwords isn’t enough. Just 0-9 characters.
• We know that using just lowercase letters in our passwords isn’t enough. Just a-z characters.
• We know that adding uppercase in the middle of a password adds 26x difficulty for every character. Just A-Z characters.
• We know that adding special characters – push shift + a number to get those. `~!@#$%^&*()-_=+[]{}\|;‘:",.<>/? are those characters. I hope these don’t mess with my blogging software. Regardless, you get the idea. It is 34 more characters – more than the normal alphabet. Don’t forget to use spaces. When I use a space, I never use just 1 and I try to avoid using them between things that look like words. We want to avoid something that looks like a pattern, right?

Doing this makes our alphabet is at least 96 characters. That’s pretty good. If you can use unicode or accented characters, not all passwords will accept these, then you can vastly extend your alphabet. For now, those characters are used only when in dictionary words. Sadly, most password systems I’ve seen prevent non-7-bit ASCII characters.

Good to Have – Random or Patterns that aren’t easily recognized

Patterns are dangerous for passwords. This is why we all know to use different password for every login. If a pattern can be recognized, it can be used for guessing your password. Having access to your other passwords from other systems means a pattern may be uncovered. Avoid using the same pattern across different logins.

Required – Length

Longer passwords are better. This is the grand daddy for any password security, provided a pattern isn’t discovered through some other means like looking over your shoulder or having cracked some other password used elsewhere.

Every extra character added to the length makes the cracking exponentially more difficult.

Suggestion: Use 20 characters or more from

• uppercase
• lowercase
• numbers
• special characters

After you use these characters and use any other non-trivial, non-pattern, non-dictionary way to buffer the remaining characters, then you are set.

Suggestions for Making Memorable Passwords

• Misspell words, if you must use words at all
• Capitalize in strange places, never the first or last characters
• Begin and end with a lowercase letter, not numbers or punctuation. Numbers and special characters need to be in the middle of the password, never at the ends.
• Put 3 unrelated, misspelled, (7) character words together for length with special characters and numbers separating them.
• Don’t use any names, first, middle, last, nicknames, userids, pets, wives, husbands, etc.
• Don’t use any locations, events, celebrity, websites, charities, company names, or commonly used abbreviations. If it is in pop-culture, it is in the special dictionary.
• Don’t use dates alone. 06011955 is a terrible password. If you are specifically targeted, every important date will be part of the dictionary. Anniversaries, birth dates, graduations, deaths, job start dates, retirement dates … etc.

Actually, don’t use words or patterns in your passwords.

Some Good Long Examples

I’m paranoid, so all my passwords are as long as possible for the system. Sometimes this is 8 characters and sometimes this is 100 characters. Today, let’s just use 20 characters as our goal. Provided we have a password that isn’t in the dictionary.

• “h$3e- ioioioioioiou”
  • easy to type,
  • large alphabet,
  • not in a dictionary
  • uses multiple spaces (how many are there?)
  • doesn’t start or end in numbers, uppercase, or punctuation
• “fDD3!#!#!#!#!@zz”
  • easy to type,
  • large alphabet,
  • not in a dictionary
  • doesn’t start or end in numbers, uppercase, or punctuation
• “f!#!#!#!#!@zzDD3”
• “asdf$43asdasdasd0asd” – a pattern, but broken in unexpected ways.
• mFaNtaStincally11.z – based on our initially bad password, but
  • added letters to the beginning and end
  • misspelled the word
  • mixed case in an odd way

Is that clear? Basically, there are 4 characters to remember, then a pattern.
Also, don’t use any of these because they are now known to the password cracking folks and have been added to their cracking dictionaries.

Final Results

Doing all this is getting complex as far as I’m concerned. I will

• continue using my password manager which uses a system generated, complex passwords of fairly long lengths.
• start using the above techniques for those very few passwords that I need to remember like my main desktop(s) and to access my KeePassX database and for the WPA2 keys to the WiFi router at home (assuming I ever need to change that password).

Assumptions

As most of you will know, security is never as simple as a strong password. If a prepared cracker has physical access to your PC for 10 seconds, that PC can be compromised unless you do many more things. The time to connect a USB/Flash memory and run a script is all that is needed.

We also know that remote attacks for using passwords usually aren’t useful because after the system sees more than 3 or 10 failed attempts, the IP should be blocked for an hour or a day or forever. Not all systems do this, however.

On TV and in the movies, passwords are shown being solved 1 character at a time. Clearly this isn’t the way it happens in the real world. All that a password cracker knows is either the password worked or it didn’t. They probably know the password complexity rules and length limitations for the system, so they don’t bother with trying any that do not meet those criteria. Still, they only know that the password worked or did not work.

Brute force methods are started by computers and use systematic trial and error methods. Computers like to go from a to b to c to d …. z and then A to B to C … to Z. Sometimes computers count backwards, so Z, Y, X, …. A are used instead. If I wanted the most difficult password that would take the longest amount of time to brute force, I wouldn’t start my password with A, B, C, D or a, b, c, d or Z, Y, X, or z, y, x characters. I’d pick something from the middle of the alphabet and perhaps slightly towards the higher letters. That would ensure at least the 50% theoretical amount of time to brute force my password would be necessary. When we are using 20 characters, even the 50% theoretical cracking time is thousands of billions of years, so if you don’t do this, don’t worry too much. ;)

Effective security needs to be layered with defenses at many levels. Physical security first, network security next, followed by disk encryption, good passwords and not doing risky activities on the internet.

I find that just using a password manager and having it randomly generate the passwords using as complex and long an alphabet as the login will allow is easier. For example, an old password was:
C+b>%kY `$FOe6%o:~k6L{8v{@LAu;o742O;e!~#7jfUTSW}(ghS8+
Doubt that would ever be cracked by any brute force method. A flaw in the math or implementation would be needed. Plus I never typed it – not once, so how ugly it is doesn’t matter at all.