Everything You Wanted to Ask About Cracking Passwords

October 15th, 2020 by Vladimir Katalov
Category: «General», «Tips & Tricks»

Making tools for breaking passwords, I am frequently asked whether it’s legal, or how it works, or what one can do to protect their password from being cracked. There are people who have “nothing to hide”. There are those wearing tin foil hats, but there are a lot more people who can make a reasonable effort to secure their lives without going overboard. This article is for them.

Is password cracking legal?

The short answer is “it depends”. There are a lot of vastly regulations in different countries; some even make it illegal to hide the password from the authorities if they ask – like in France, the country of Liberté. In general, passwords are used to restrict access to the data (and it is also important whose data it is, and who’s asking). Obviously, nobody can stop you from breaking your own password that you forgot; however, if this password protect access to your data stored in some online service, it does not actually matter that the account is yours – you cannot legally break it. In other words, cracking passwords is perfectly legal if you work with local data and the data is yours, or if you have the permission from the legal owner, or if you represent the law and follow the local regulations. Cracking someone else’s data might be a criminal offence, but there is a huge gray area.

How long does it take to crack the password?

It looks like another “it depends”. There are two common cases:

  • You don’t need to actually break the password. Access to the data can be obtained regardless password length and complexity.
  • “Success rate” (if we can ever use this term) directly depends on the password length and complexity.

The devil is in the detail. For example, if the entire protection method (which includes the encryption algorithm, the key derivation function and certain other things such as the use of salt) is strong and a properly strong password is selected, there may still be a chance that the same password is either re-used somewhere the protection is weaker, or that said password is stored somewhere, e.g. saved in your browser for faster access, and so can be easily obtained without the need to crack it.

Is there such a thing as secure password?

It depends (I know, I know). Remember the “entire protection method” I mentioned in the previous chapter? If the vendor’s implementation has a single weak link (like, for example, using a strong encryption algorithm but only employing a single hash iteration to derive the encryption key from the user’s password), you may forget about secure passwords. Security does not depend entirely on the password length and complexity.

If there are no obvious faults in the vendor’s implementation (and you never know if there really aren’t), a 7 or 8-character password would be generally secure if it is a genuinely random mix of letters, numbers and special characters. Choosing passwords based on dictionary words? I have bad news for you.

If you aren’t sure about your vendor’s implementation, the password should be at least 12 characters long. How do you know if you can trust the vendor? First and most important, do not trust the vendor’s claims; their favorite claim “military-grade encryption” means nothing at all. You can look for more information and find something like “we use pbkdf2(sha512) with 100,000 iterations”, but I doubt that tells you a lot (unless you are work in cyber security). Even then, there could be too many other factors affecting the password strength. Finally, the password strength is not the only factor that affects security.

For online services, everything is far more complex. Most systems restrict the number of failed attempts for a given account, blocking access after several (very few) incorrect passwords in a row. This, however, does not remove the possibility of a reverse brute force attack. The system security depends on many other factors, and your account might be cracked in a different way, using vulnerabilities in the system or its network software.

Smartphones are yet another unique case. There are even more factors to consider, including the hardware model, the vendor’s implementation, OS version, security patches, system and software settings, cloud access, and a lot more. Some smartphones are more secure than others in general, but still vulnerable if used incorrectly.

How does password cracking work?

There are many methods of password cracking.

As I had already mentioned, sometimes it you don’t need to crack the password as there are other, faster and simpler ways to access the data. For example, many legacy systems and applications do not encrypt the data. Even without a classic backdoor, one can build a new one to simply ignore the authentication system and grab the data directly.

Even if the password protection implementation is genuinely secure, there are different attacks. Watch our blog, I’ll tell you more about them. The attacks look way different from what you see in Hollywood movies (where every single character of the password or security code is being cracked separately, and it takes split seconds to break one), but they are not rocket science either.

Can hackers break my password?

If you are asking, it’s likely that they can. They are well educated. They have the tools. They know how to use them. They don’t need your permission, and they don’t care about the law. They are good social engineers. They know the value of your data (better than you do). They’ve been doing this for years. Should you be concerned? Absolutely. Your data has a price tag, and it’s up to them to decide whether it’s worth their effort.

Can the police crack my password?

Sure they can, but the chance of them cracking your password is lower than the hackers’ simply because of the legal restrictions. While they use the same tools as the hackers, they have other ways to access your data that aren’t available to criminals.

The law enforcement officials may be able to legally request your data without breaking your password (e.g. from Apple, Microsoft, Google, Facebook etc.), and they may have the authority to go through the physical hard drive of your computer, pulling passwords straight from your Web browser.

How can I secure my data?

There is no short or simple answer. You’ll have to learn, and you’ll have to understand how things work in order to protect your data. Just one example: writing your passwords down on a piece of physical paper might be the better strategy against hackers than storing them on your computer, being a bad strategy if you’re planning to defend your data from the police. There are multiple things to consider; we collected some of them in the recent article Playing devil’s advocate: iPhone anti-forensics. If you are interested in protecting your Windows system, have a look at our article series related to BitLocker.

Security is not a tool, software or methodology. Instead, it is a process. You cannot configure your system once and stay safe for good. You always have to learn.

Why password protection is so popular, and isn’t it safer to use biometrics?

Password protection is fast and simple to implement, and it’s really convenient to use. Other authentication methods exist. I like Face ID in particular (probably even more convenient than password protection), but it does not increase the overall security of your iPhone. It’s just a weaker but more convenient way of authenticating Apple used to convince users into using some sort of secure lock screen. Back in the days, people would not bother PIN-locking their phones, so that’s a huge step if you think of it. All existing biometric authentication methods have a high false positive rate. Some are not secure and can be easily fooled. While the latter is not the case with Apple Face ID, many Android-based copycats including big brand names offer severely flawed and completely insecure implementations of face unlock. No one seems to care.

Is there a light at the end of the tunnel?

The answer is disappointingly negative.

If you are an ordinary user, the risks are escalating. The more data, more gadgets, more everything is around, the more difficult it becomes to protect or even keep under control.

If you work for the law enforcement, you get more challenges every day. Point to point encryption, secure cloud storages, advanced encryption software and tightening privacy regulations don’t make your work any easier.

If you are a hacker… This article is not for you, as you already know everything I wanted to tell.


Elcomsoft Distributed Password Recovery

Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.

Elcomsoft Distributed Password Recovery official web page & downloads »