Why Hacking pPasswords from Big Companies is Nearly Impossible
Passwords are not saved as plain texts on any website. Internet uses a hashing algorithm to encrypt and manage passwords and there are many types of hashing algorithms like SHA-1 Hashing or MD5 Hashing algorithm.
But somehow, some people still manage to steal credentials. In this article, we’ll see how passwords are cracked…and also how, at the same time, now it is nearly impossible to crack passwords from big companies due to their added algorithm.
For example, when you fill out the Sign-up form on Facebook it stores your Email, Name, Age, DOB, etc in its Database. And what about the Password? As I told you a password will never be saved as plain text on a website’s database so this password is given as input to a hashing algorithm and the output given by this hashing algorithm is the encrypted form of the password.
This hashed password is saved in Facebook’s database but not as plain text, which means the password which you entered will never be saved on Facebook’s database as plain text. Instead, only it’s encrypted or in other words the hashed password is saved in Facebook’s database.
Now for the time being just think that Facebook had a data breach and hackers managed to gain access to Facebook’s user information which included their name age gender email and password.
Though hackers have this information they will not be able to log in to any specific user account because the password is encrypted: if the hacker tries to log in to any specific user account with the hashed password he will not be provided access because he needs to enter the password which is in the plaintext form.
So what can hackers do now to gain access?
Intuitively the only possible way is to reverse the hash into its plaintext form but this is highly impossible because a hash is a one-way function and the plaintext form of a hash cannot be obtained from the hash itself. That is how hashing algorithms are designed!
This is when the strength of the password comes into play if you are using a common password like test123456 to sign up for Facebook then the hacker will easily able to know the plaintext form of your password from the hash string.
This is where the rainbow tables come into play, these rainbow tables contain the password hashes of numerous commonly used passwords along with their plaintext forms so the hacker will be able to do a simple search with the password hash that he has and if the password hash exists in the rainbow table that means that the password is successfully cracked and we now have the password in a plaintext form
Disclaimer: The rainbow tables contain the password hashes of only passwords which are commonly used.
As a reference, you can try it yourself at www.crackstation.net. But what if the password is not commonly used? In that case rainbow tables are of no use.
So imagine you have a word list as wordlist.txt, which is nothing but a huge text file with loads of passwords. In this attack the hacker writes a code which compares the password with the password hash of each password that exists in the world. And if any hashes match then it means that the cracking is successful and we now have the plain text of the hashed password.
Another approach is that you are taking every possible password that can exist and convert it into its hash, and then check if the hashes match. So yes, it might take forever to crack a strong password using this method however the computer’s processing speed is fast enough then, simple passwords can be cracked easily by this method.
But nowadays cracking the hash might not be enough
A new technique called salting is introduced by security analysts which gives hackers a hard time cracking passwords. In this technique a specific combination of characters are inserted at specific positions of the plaintext password. Now nearly any big company has its salting algorithm and they don’t make their salting algorithm public. Hence, converting the passwords into their real text is nearly impossible, unless you know the algorithm.
The salted password is then hashed by a hashing algorithm so when the salting technique is used rainbow tables are of no use. Even if the password to be cracked is weak and commonly used, because the hash of the password without salting does not match the hash of the salted password also brute-force attacks and dictionary attack are not effective to crack salted passwords. Unless, of course, the hacker already knows the salting algorithm employed by a company.
Also checkout the Youtube Video which explains everything!