Visible to the public Brute-force and dictionary attack on hashed real-world passwords

TitleBrute-force and dictionary attack on hashed real-world passwords
Publication TypeConference Paper
Year of Publication2018
AuthorsBošnjak, L., Sreš, J., Brumen, B.
Conference Name2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO)
Keywordsauthorisation, brute force attacks, brute-force attack, Collaboration, cracked passwords, Dictionaries, dictionary attack, educational administrative data processing, Educational institutions, Force, hashed passwords, hashed real-world passwords, human factors, hybrid attacks, information system, online grading system, password, password cracking, password creation policies, password security, policy-based governance, pubcrawl, Slovenian university, uncracked passwords
AbstractAn information system is only as secure as its weakest point. In many information systems that remains to be the human factor, despite continuous attempts to educate the users about the importance of password security and enforcing password creation policies on them. Furthermore, not only do the average users' password creation and management habits remain more or less the same, but the password cracking tools, and more importantly, the computer hardware, keep improving as well. In this study, we performed a broad targeted attack combining several well-established cracking techniques, such as brute-force, dictionary, and hybrid attacks, on the passwords used by the students of a Slovenian university to access the online grading system. Our goal was to demonstrate how easy it is to crack most of the user-created passwords using simple and predictable patterns. To identify differences between them, we performed an analysis of the cracked and uncracked passwords and measured their strength. The results have shown that even a single low to mid-range modern GPU can crack over 95% of passwords in just few days, while a more dedicated system can crack all but the strongest 0.5% of them.
Citation Keybosnjak_brute-force_2018