Title :
Cracking More Password Hashes With Patterns
Author :
Tatli, Emin Islam
Author_Institution :
Dept. of Electr. & Electron. Eng., Istanbul Medipol Univ., Istanbul, Turkey
Abstract :
It is a common mistake of application developers to store user passwords within databases as plaintext or only as their unsalted hash values. Many real-life successful hacking attempts that enabled attackers to get unauthorized access to sensitive database entries including user passwords have been experienced in the past. Seizing password hashes, attackers perform brute-force, dictionary, or rainbow-table attacks to reveal plaintext passwords from their hashes. Dictionary attacks are very fast for cracking hashes but their success rate is not sufficient. In this paper, we propose a novel method for improving dictionary attacks. Our method exploits several password patterns that are commonly preferred by users when trying to choose a complex and strong password. In order to analyze and show success rates of our developed method, we performed cracking tests on real-life leaked password hashes using both a traditional dictionary and our pattern-based dictionary. We observed that our pattern-based method is superior for cracking password hashes.
Keywords :
authorisation; cryptography; application developers; brute-force attacks; cracking tests; dictionary attacks; pattern-based method; rainbow-table attacks; real-life leaked password hashes; real-life successful hacking attempts; sensitive database entries; unauthorized access; unsalted hash values; user passwords; Authentication; Companies; Complexity theory; Databases; Dictionaries; Password security; authentication; data security; dictionary attacks; hash cracking; password security;
Journal_Title :
Information Forensics and Security, IEEE Transactions on
DOI :
10.1109/TIFS.2015.2422259
