Donate to us!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Thursday, June 21, 2018
 Need Help?
Members Online
Total Online: 86
Guests Online: 82
Members Online: 4

Registered Members: 105534
Newest Member: UnknownHKR
Latest Articles

Password cracking!!

Arrow Image Different ways to crack a password

Hello, to start off I would like to say thanks for taking time to read my article. As this might be a little sketchy, please bare with me, for this is my first article for HBH. In this article I will go over different types of cracking methods, and the odds of actually cracking them, so you can figure out and understand why cracking is so difficult.

Brute forcing
The most common type of cracking method is called an exhaustive brute force. For those of you who are unsure what that means, read on. An exhaustive brute force is the cracking program, tries every conceivable password. In most password boxes, the allowed characters are A-Z (capital) a-z (lower) 0-9 (numbers) and all of their corresponding characters. Some even allow the use of a spacebar, < > ?/.,\ | ][ {} the list goes on. There are a total of 95 different keys you can use for every character of a password, so be creative. For the base of explanation ill use an eight (8) character password. If you have an eight character password, trying 10,000 cracks per SECOND, would take you 22,875 years to complete (assuming it’s the last password tried). For those of you who like the math explanation would look like 95 ^ 8 (the ^ means to the power of, 95 is how many characters it could be, 8 is how many characters are in the password. To simplify it and make more sense to you, if you had 1,000 computers cracking the same password, it would still take you OVER 22 years to complete, feel free to throw up, I know I did.

Dictionary attack
I am sure that you have all heard NOT to use any direct words from the dictionary, and you ask why not, and ill answer here shortly. For the base of learning, let’s say you used the longest word in the English language (Pneumonoultramicroscopicsilicovolcanokoniosis), yes this is the longest. Despite the 45 letters it took to make it, it would still be cracked LESS THEN ONE MINUTE. Why is that you may ask? The dictionary hold about 200,000 words, more or less depending on which one you’re looking in, assuming 10,000 cracks per second, would only take 20 seconds, because it’s looking thru every word in the dictionary, and none more.

Hash look up
This is by far the most appealing to me. As I was showing my friends some cracking methods, He asked me what a hash is, so I explained. He then asked why don’t you just “pre-calculate” all the hashes. Even though such a good question I laughed my ass off. I explained to him that a password normally is not found in plain text, it has a hash (usually mathematically irreversible). Of course you would have to store, the table or database somewhere, so you just need to search the database for the corresponding hash. Assuming your doing a binary search, I would look like O(log2 N). N is the number of entries. So to continue the password used above would look like O(8 log2 95) which is incredibly fast. Of course then you would have to add in for each of those a salt value between 0 and 4096. So now its O(8 log2N) X 4096 (feel free to do the math) Sound like a good idea? Well, guess again!! The downfall of such an attack is that you would have to have about 100 thousand TERABYTES of memory (damn near enough to run NASA). Just for a little ratio, a 4 character password, with all 4096 salts and every possible hash pre-calculated, would take about 4.6 terabytes of memory, which is still very impractical.
There are many different types of cracking methods, for I put only those that are commonly used, known and most interesting. Please PM me or post with any comments, questions or concerns you may have regarding password cracking and my article. Also please speak openly, for I won’t get better. Thanks again!!


richohealeyon February 22 2007 - 16:20:36
good article, but you should have mentioned rainbow tables.... your last paragraph points right at them!
minermonkon February 22 2007 - 18:16:38
a good article, but it dose stop short of what i would expect.
netfishon February 22 2007 - 18:23:22
Theory is good tho. What happened to structure and using spacing, ie. new lines, and paragraphs... ? It's hard to read. Nice, overall, however.
shaddowon February 22 2007 - 20:07:46
Thank you all in advance for your comments as they will all help me out with my future articles. Thanks
daiianion February 22 2007 - 20:15:13
Plzz, can u like do it in parts, very hard to read Pfft
Intocksifyon February 22 2007 - 23:08:20
Thanks for this, this makes it clear why my friend laughed his ass off when I tried to crack an FTP site's login for fun the other day using a bruteforce. Took me a while to realize the estimated time was 15.7 sumthin milleniums to find a 50 letter username and a 60 letter password.... yea...
AldarHawkon February 27 2007 - 13:47:30
This is a good article in theory but do you have any proof to your statements? Are you certain that it would take up approx. 100 TB of storage to hold 4 character length of all passwords salted? If you could provide me with a little more indepth working on all of the "facts" behind this article it would be a little more backed up and it stands now it seems a little lacking in a lot.
grooon March 07 2007 - 23:51:29
you can't really build an exhaustive hash database, but PHPBB, php-fusion, and many other popular CMS'es store their passwords as unsalted md5 hashes, and most people SUCK at picking passwords. you will find that for the average website that has user accounts, roughly 70% of the MD5s of the passwords will be in an md5 database such as aim:md5library.
shaddowon March 09 2007 - 14:12:19
but what if you could? Imagin how much memory that would take. If you go to word doc. and a 1 page paper. What does it come out to be. in kb's. Imagin how many passwords that could be made the highest ive see was 95 ^16. some astronomical number. mulitplied by the 4096 salt values. Almost makes it unreal to imagine.
orhanc1on March 26 2007 - 01:46:17
you spelt the biggest word wrong, google sais its spelt Pneumonoultramicroscopicsilicovolcanoconiosis not Pneumonoultramicroscopicsilicovolcanokoniosis.
shaddowon March 27 2007 - 03:16:02
haha, thanks Webster!!! (spelled that from memory, not copy and past)
shaddowon March 27 2007 - 03:17:33
p.s Thought I would add that "sais" (as you spelled it) is should actually be "says" (google for it)
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.