The (Persistent) Threat of Weak Passwords: Implementation of a Semi-automatic Password-Cracking Algorithm

Abstract

Password-based authentication remains the main method of user authentication in computer systems. In case of a leak of the user database, the obfuscated storage of passwords is the last remaining protection of credentials. The strength of a password determines how hard it is to crack a password hash for uncovering the plain text password. Internet users often ignore recommended password guidelines and choose weak passwords that are easy to guess. In addition, service providers do not warn users that their chosen passwords are not secure enough. In this work we present a semi-automatic password cracking algorithm that orders and executes user-chosen password cracking attacks based on their efficiency. With our new approach, we are able to accelerate the cracking of password hashes and to demonstrate that weak passwords are still a serious security risk. The intention of this work is to point out that the usage of weak passwords holds great dangers for both the user and the service provider.