Cracking more password hashes with patterns
AuthorTatlı, Emin İslam
MetadataShow full item record
CitationTatlı, E. İ. (2015). Cracking more password hashes with patterns. IEEE Transactions on Information Forensics and Security, 10(8), 1656-1665. https://dx.doi.org/10.1109/TIFS.2015.2422259
It is a common mistake of application developers to store user passwords within databases as plaintext or only as their unsalted hash values. Many real-life successful hacking attempts that enabled attackers to get unauthorized access to sensitive database entries including user passwords have been experienced in the past. Seizing password hashes, attackers perform brute-force, dictionary, or rainbow-table attacks to reveal plaintext passwords from their hashes. Dictionary attacks are very fast for cracking hashes but their success rate is not sufficient. In this paper, we propose a novel method for improving dictionary attacks. Our method exploits several password patterns that are commonly preferred by users when trying to choose a complex and strong password. In order to analyze and show success rates of our developed method, we performed cracking tests on real-life leaked password hashes using both a traditional dictionary and our pattern-based dictionary. We observed that our pattern-based method is superior for cracking password hashes.