Our passwords are often the first and last security measure we use. In this video, you’ll learn how attackers obtain our credentials using password spraying and brute force.
In your IT career, there is a possibility that you could run across an application that stores credentials like usernames and passwords in a non-encrypted form. We often refer to this as in the clear. Although this is rare, this is something that could be a significant security concern. This is why we always say to never store passwords as the plain text of the password. Someone can gain access to the files or databases where those credentials are stored, and at that point they would easily have everyone’s username and password in plain text and they can begin taking advantage of that information immediately.
If you’re using an application that is storing this information as plain text, your only good option is to stop using that application. Perhaps reaching out to the application developer might be an option, but this will require a rewrite to be able to save your passwords in a form that’s more secure. Instead of storing these passwords as plain text, all of these passwords should be stored as a hash. We’ve discussed an overview of hashing in previous videos, but in this video, I want to drill down into how hashes and passwords are so closely related.
When we’re storing information as a hash, we’re taking a variable-length input and representing it as a fixed-length string of text. You’ll often hear this referred to as a message digest or a fingerprint. Another interesting characteristic of hashing is if you have a different input into the hashing algorithm, you will have a very different output. This means that everyone with a different password will have a very different hash that is stored in the database.
And perhaps from a password perspective, the most important characteristic is there’s no way to reverse-engineer the password once it’s stored as a hash. Just as the fingerprints on your hand can’t be used to reconstruct an entire person, you can’t somehow reconstruct a password when you only have the hash of that password.
Here’s an example of what these passwords would look like if we stored them with a hash instead of storing them with the plain text. On the left side of this list are the passwords, and on the right side is a hash that’s been created with the SHA-256 hashing algorithm. You can see that the password of 123456 is stored as this hash, and the password of 1234567 appears to be a very different hash.
Notice that although the password itself is only one character difference between the two, the two different hashes are very different from each other. If we were to look at the section of an operating system or the file where these credentials are saved, you may be able to see the usernames associated with these accounts. But notice that the hash that is stored for each one of these accounts is very different from each other, and none of it contains the original plaintext.
You may have run into a scenario where you’ve forgotten your password and you try a number of different options for logging in. But after the fourth or fifth try of an incorrect password, your account is locked out, sometimes for a certain amount of time, or sometimes you would need to call to have this account re-enabled. The attackers would love to try guessing at what your password might be, but they don’t want to guess so many times that they also might cause a lockout. So instead, they might try the most common passwords.
This is a list of the top five most common passwords as found on Wikipedia, and they’re passwords you might expect. Passwords like 123456, 123456789, querty, password, and 1234567. Although it may seem obvious that people shouldn’t use these types of passwords, unfortunately people all too commonly use these very common passwords when securing their accounts. So all an attacker would need to do is to try perhaps maybe the top three passwords on this list. And if they don’t gain access to the account, they’ll simply move on to the next one on their list.
So the attacker will try to find these accounts that have very weak passwords, and it might try three attempts. And once it uses those three attempts, it moves on to the next account. This means there won’t be any lockouts, there won’t be any alarms or notices in a security report, and they can effectively try this online brute force attack without raising any type of notice. We refer to this type of attack as a spraying attack. And if an attacker wants to simply find those accounts that might be available using these common passwords, this is a good way to accomplish that without raising any suspicion.
You can think of a spraying attack as the beginnings of what could potentially be a brute force attack. But a brute force attack would be trying many different iterations of passwords to try to find the right one. In many cases, the attackers will go through every possible combination of letters, numbers, and special characters until they can find every password in that password list. As you can imagine, stepping through every possible iteration of a password is very time-consuming. And if the hashes have been saved with a strong hashing algorithm and the passwords themselves are quite long, this could take quite a bit of time to brute force.
Here’s the process that an attacker goes through when trying to brute force a password. They have already received the hash. They might have received this as part of a file that was downloaded, or they were able to obtain the hash in other ways. This hash doesn’t contain any information that can tell us what the password is, so we’ll now start the brute force. We’ll start with the password aaaaa, and we’ll look at the hash for that password. If that hash matches the hash that was from our password file, then we’ve just found the right password.
In this particular case it does not, so we will go to the next possible iteration, which is aaaab. And we can see that hash also does not match the password. We’ll go to the next one on our list, and we’ll keep iterating through every possible combination. Eventually the attacker will come across a hash that finally matches the hash that was stored in the password file. In this particular case, the password that the attacker was looking for is literally the word “password.”
As we’ve already mentioned, it’s very common for accounts to automatically lock themselves when too many incorrect password attempts are made. And that’s why a brute force attack online is going to be very slow– because you’ll only be able to make a request to this perhaps once or twice a day. And of course, you do have the concern that eventually this account will be locked out.
Instead, the way that most attackers handle a brute force is to download the file that contains all of that password information. Very often it looks something like this where there would be a list of usernames, perhaps a name ID or group ID, and then the hashed password itself. Once the attacker is offline, there’s no concern that an account might be locked out. They can perform as many brute force attacks as they would like over whatever time-frame that they would like. As long as the attacker has enough time and enough computational resources, they can try every possible hash until they come across one that matches the information that’s stored in the password file itself.