INTRODUCTION

Passwords, as a form of authentication can be said to be as old as time. In ancient times, watchmen would test those wishing to enter an area or approaching it to supply a watchword of which if correct entrance is given. In modern times however, a combination of username and password is a common means of authentication during log in processes.

User authentication, as defined by RFC 2828 is “the method of confirming an identity claimed by or for a system entity” [ 1 ].

Basically, the verification process is divided into four main categories: something known by user (knowledge factor) (e.g. password, PIN, answers to given questions), something the user owns (Ownership factor) (tokens, e.g. smart cards, electronic keycards, physical key), something that the individual is (Identity elements) (static biometrics, such as fingerprints, retina, face), and something the individual does (dynamic biometrics such as voice patterns, mouse movement pattern, handwriting, typing rhythm) [ 1 ] [ 2 ] [ 3 ]. Something the individual is and something the individual does can be categorized under inherent factors. The most common of the different authentication methods used now is the password authentication (something the individual knows) and has been commonly used as the line of defense against intruders [ 4 ] [ 2 ].

Password-based authentication works by comparing the credentials provided by a user with stored secrets. Because unauthorized users may have access to stored passwords, there is a need that passwords be encrypted during storage using cryptographic hash functions.

Password cracking can be defined as the recovery of plain password texts from a stored location which is usually encrypted. Password cracking is the process of obtaining the plaintext passwords from the stored encrypted secret, or at least an equivalent one [ 5 ]. Generally, password cracking in the hacking world ranges from decrypting password hashes stolen from a database to even hacking wireless networks.

This paper is organized as follows: section 2 will focus on the forms of password authentication while Section 3 will survey some password cracking techniques, Section 4 reviews the top password cracking tools and Section 5 shows the conclusion, followed by an appendix of abbreviations and available software.

II.

FORMS OF PASSWORD AUTHENTICATION

There are various types of password-based authentication and each of them has their strengths and weaknesses when viewed in the area of memorability, usability and security. Despite the somewhat recurring idea in Computer Security that “the password is dead” and is therefore not recommended, it is still in use and will continue to be, at least for now. Some of these forms are discussed below:

This is a type of password that entails the use of alphabetic characters only and could be either a dictionary word or not. An alphabetic password is very easy to remember by the users, which makes it relatively easy to be cracked either by a combination of social engineering and guessing or dictionary attack. A list of the most commonly used password types published by Google in 2013 [ 6 ], shows that this passwords were easy to guess and crack:  Names within the house such as pet name, a close family members name or friend‟s name.  Name of Birthplace or favorite holiday place.  Names or things that is associated to their favorite sports club.

 The term “password" is also common.

This is a combination of alphabets and numbers in forming a password, it is the most common approach for authentication.

Although more secured than alphabetic passwords, alphanumeric passwords have its security and usability problems, one of which is the easy-to-guess substitutions such as 'A' for '4', 'S' for '5', 'E' for '3' and 'I' for „1', substitutions which attackers are conversant with. Another drawback of the alphanumeric password is the difficulty of recalling the alphanumeric password by the user at the point of log in, especially if it is not frequently used or written down.

Greg Blonder (1996) described graphical passwords [ 7 ] as involving the display of a predetermined graphical image and necessitating the user to select particular areas of the image in a particular order. The graphical password is a nontext based password, an alternative means of authentication intended for use in lieu of the conventional text-based passwords. Contrary to the memorability issues of alphanumeric passwords, graphical passwords are more memorable [ 8 ], and the relative ease or ability of humans to recognize faces and points within pictures has given it better usability when compared with other forms of password authentication, leading to imitations by machines with varying degree of success [ 9 ]. Graphical passwords, unlike the conventional alphanumeric password can be said to be even more secured as users do not have to write it down, making it less susceptible to social engineering attack.

In a 2010 study [ 8 ], Agarwal et al. compared alphanumeric passwords and graphical passwords in terms of memorability. They explained that in remembering passwords, password was inputted three times by each user in each trial, each user is only allowed to input correct password once; table 1 below shows the number of incorrect password submission.

In the analysis of memorability, MatLab was used and it can be seen that for the memorability factor (R1/R2/R3) and mode (alphanumeric/graphical), it was discovered that graphical password was always favored from the incorrect submission calculation. In a second experiment that compared the time for correct submission, a factor that can influence productivity, table 2 below shows that it took graphical password lesser time to summit correct when compared with alphanumeric password.

From table 1 and 2 above, it can be concluded that graphical password is more memorable when compared with alphanumeric password, which means it is generally more usable. However balancing usability and security seems to be almost impossible as researches on security and usability mostly support the notion that a system cannot be both usable and secured, but can only be one of them at a time [ 10 ].

Better memorability is the major advantage of graphical password over alphanumeric password, But, a major disadvantage is the fact that they are highly susceptible to shoulder-surfing [ 11 ].

A pivotal question that seems to be unanswered is: Is it possible to have a secured and usable authentication system? To be precise, does a secured, memorable and usable authentication technique for information security exist? Most probably the answer would be “maybe”.

As it concerns the security, memorability and usability of password authentications, a few pointers are as follows:  Avoid using any word as password from any dictionary.  All good Passwords should contain special character, letters, and number and should not be less than eight characters long.  Apply the pass-phrase approach in password generation i.e. for a phrase like “My much secured password is longer than 8 characters” the generated password would be “Mmspilt8c”. This approach reduces the burden of memorability [ 12 ].

III.

PASSWORD CRACKING TECHNIQUES

Password cracking tools can be majorly categorized into offline and online cracking categories.

Attacks such as dictionary and brute-force attack performed against on a live system login form or session is called online attack

The prevalence of online attacks may not be as much as offline attacks due to the fact that they are mostly impossible to pull off as there are numerous protection schemes in use that can make this kind of attack difficult and dangerous to realize but it is still possible to pull off if some of these mechanisms such as maximum unsuccessful authentication attempts and Captcha images can be evaded [ 13 ].

Offline attacks are carried after a password databases has been copied, or sniffed from an encrypted connection, offline do not alert the victim. This type of attack is popular as it is often easier to pull through as there are usually numerous possible vulnerabilities that can allow its exploit.

Dictionary Attack: Dictionary attack is a technique for exploiting a hashed authentication mechanism by trying to determine its decryption key by repeatedly trying thousands or millions of likely possibilities, such as words in a dictionary. In dictionary attack, wordlist comprising of possible and likely passwords is used by the cracker in attempting to gain access to a system [ 14 ] although wordlist that have proven to be the most successful in time past are composed of various public sources or databases filtered previously captured from real password [ 13 ]. There are several wordlists that are available, for Kali Linux users, there is a wordlist in the directory “usr/share/wordlists”, with “rockyou.txt.gz” being the popular of all, and it can be unzipped and padded with more custom passwords or known weak passwords. While some are available for free, some are not, as they seem to contain even more language combinations than the free ones. Brute-Force Attack: This type of attack, also known as exhaustive search involves the attacker trying every possible combination with the hope of eventually guessing correctly, it can be fast when used to check short passwords. Theoretically, a brute-force attack is a cryptanalytic attack that tries to decrypt all encoded data [ 15 ] (with the exception of the data encrypted in a secured-information theory).

The method involves computing the hash of the given password one by one, and then comparing the result of each hash with the target hash stored on the database. The drawback to this method is that the longer the password the longer the time to find the right password thereby consuming lots of system resources. Also, the computed hash cannot be reused to crack another password [ 16 ].

Hybrid Attack: This is a combination of both dictionary attack and brute-force attack, whereby the dictionary includes the wordlist and the brute-force is applied to each possible password in the list by taking each entry in the dictionary and creating a few variation of the dictionary word (like adding a prefix or suffix of numbers) [ 13 ] [ 17 ] . A Hybrid attack will also exponentially increase the computation and time depending on the amount of characters to be concatenated with the Dictionary entries [ 5 ].

Rainbow Tables: Hellman in 1980 introduced the timememory-trade-off method used in reducing the time that is needed in cracking a cryptographic system [ 18 ] and was based on the fact that exhaustive search requires a lot of time or computing power to succeed.

Because of the drawback experienced in the Hellman time-memory-tradeoff Oechslin suggested what he termed rainbow tables (a time-memory-tradeoff technique) which drastically reduced the number of collisions experienced in the Hellman‟s model thereby reducing the number of calculations [ 19 ]. This is done by a pre-computation of the password hashes thereby reducing the time taking to crack a password. [ 2 ].

Rainbow Tables are faster than brute force attacks once the hash tables have been created, since the time it takes to compute the hash has been eliminated but it makes use of large storage area [ 9 ]. Another drawback of rainbow table is that it takes a lots of time to compute the rainbow table yourself.

IV.

PASSWORD CRACKING TOOLS



It is an open source program that decodes Windows logon password through rainbow tables by using LM hashes; it can also import the hashes from a variety of formats and sources even by directly dumping hashes from the SAM files of Windows. Most rainbow tables for LM Hashes are usually provided for free by the developers, although there are paid rainbow tables which tend to contain more hashes than the free counterpart. According to OPH Reviews, Ophcrack is fast and easy enough for a first-time password cracker user with basic Windows knowledge and it can crack most passwords within a few minutes, on most computers.” Features 

Can be used on the most popular Operating systems including Windows, Linux/Unix and Mac OS X Can be used to breack LM and NTLM hashes

Free tables available for Windows XP, Vista, 7, 8.1 Brute-force module for simple passwords Audit mode and CSV Exports Analysis of passwords using real-time graphs.

Live CD available Dumps and loads hashes from SAM encryption recovered from a Windows partition

Its free and available for download

Rainbow crack is a computer program that creates a rainbow tables for use in cracking the password; it works for general use by Philippe Oechslin faster time-memory tradeoff technology [ 19 ]; and uses memory trade-off algorithm to crack hashes from the pre-computation of “rainbow tables”. Well, it is time-consuming in pre-computing the tables but is considerably hundreds of time faster than a brute-force cracker once the pre-calculation is done. The only drawback noticed is that OS X is not supported.

 Time-memory tradeoff tool suites, including the production, sorting, conversion and lookup of rainbow tables.  It is compatible with any rainbow table hash algorithm  It is compatible with rainbow table of any character set, raw file format (.rt) and compact file format (.rtc)  It supports computing on multi-core processor.  GPU acceleration with NVidia GPUs and AMD

GPUs (CUDA Technology)  GPU acceleration on multiple CPUs  Can run on both windows and linux operating systems  Has both graphical interface as well as command line interface  It has a merged rainbow table file format on all compatible operating systems

   

Hashcat is the self-proclaimed world‟s fastest CPU-based password recovery and cracking tool tool; although not as fast as its GPU counterpart oclHashcat, this seems to be the case as Fossbytes agrees. Hashcat can break 92672M h/s of hashes with the measurement made in hashes per second[ 20 ] There are available versions for popular operating systems: Linux, OS X and Windows and can come in either CPUbased or GPU-based variants. Its free for use and features [ 21 ].

     

Originally developed by UNIX, John the ripper is a free software cracking tool to detect weak password and is now available for many flavors of UNIX, Windows, DOS and OpenVMS. It is one popular password testing and fracture program that combine a range of password crackers in a package that automatically detects types of password hash and can run against various encryptions [ 24 ] . While it is not designed specifically to crack strong passwords, it implements a brute-force strategy and brute-force as we know it, is considered infallible but can be time consuming and computationally expensive [ 25 ].

 Supports Dictionary and Brute-force attacks  Multiplatform  Its available for free

The THC Hydra is a very fast and flexible network logon cracker which primarily employs a brute-force dictionarybased attack. Hydra supports a wide range of network protocols including but not limited to TELNET, FTP, HTTP, HTTPS, SNMP, IMAP, POP3, etc. It provides a Command Line Interface and a Graphical User Interface. Its features include  Available for Windows, Linux and OS X  It is extensible and easy to add new modules  

Very effective against remote authentication services.

Can perform rapid dictionary attacks against more than 30 protocols.

Supportive with Brute-force and Dictionary attacks

Is a different flavour of OphCrack that tries to crack Windows password from hashes by using Windows workstations, network servers, primary domain controllers and Active Directory for cracking passwords; using dictionary and brute-force attack to generate and guess passwords.

Lophtcrack has the following features and abilities  Extraction of hashes from Windows versions, multiprocessor algorithms, and networks monitoring and decoding.  It runs On most BSD and Linux variants with an

SSH daemon.  Can run on windows XP and higher operating system, runs on windows server 2003 and 2008 and in both 32 and 64 bit environments  Can remotely retrieve passwords  Can perform scheduled scans  Scoring of passwords  Supports pre-calculated dictionary wordlist  Supports Unix & Windows password  Executive Level Reporting  Can give information on the risk status of

Passwords  Password Audit Method

Despite the fact that passwords are encrypted before storing them, the tools above can still be used in cracking or revealing the password. Although this tools are mostly effective against password that are just encrypted and stored. These tools will be less effective against systems that employ the techniques below to strengthen the password.

This involves adding some bits of information known as salt to a password before they are hashed [ 26 ], making it unguessable or more difficult for a standard rainbow table to crack [ 27 ]. When two salts are used, it becomes harder to crack the password [ 28 ]. The use of salts will prevent the use of rainbow tables in order to break password hashes. Although it is easy to implement and straight forward, it is also important to salt passwords in a proper and orderly manner. For example for every password or user, a different salt should be created so that a rainbow table will not be created for the set of passwords. Also a large salt value will be more preferable to smaller ones and salt values should be randomly generated [ 29 ].

The use of passwords that contains both capital and small letters, numbers and special characters and a total of at least 8 characters or more can affect the effectiveness or greatly increase the time it takes to crack this types of password.

Password form of authentication can be combined with other forms of authentication such as biometric, tokens or cards, thereby making these cracking tools less effective in password cracking

CONCLUSION

Password authentication remains the mostly used method of verification; however there are several vulnerabilities in its use (such as password reuse, dictionary words etc.) and several classes of attacks against passwords. These vulnerabilities can easily be exploited by password cracking tools. Most of these password cracking tools are available for free or in open source licenses. Based on the cracking task, a penetration tester may adopt any of these cracking tools as suitable (based on the tools features and characteristics) to carry out his pen testing task. An ethical hacker and penetration tester can pick from any of this open source cracking tools for pure authorized cracking purposes and it is strongly advice that these tools be used for learning purposes.

Password

[Online].