What is Passwords | Entropy and Cracking?

In this article, we will learn Passwords | Entropy and Cracking,This free Other tutorial for complete beginners will help you learn Other from scratch.

Passwords | Entropy and Cracking - ❤️Other Tutorials In 2024

How are passwords stored?

pseudo-random functions (hash functions)

plain-text password: w3wiki
Result: f8d59362da74ffe833332dc20508f12de6da6a9298c98b3b42873e7298fced78

Can they be cracked?

Brute Force Attacks: Most of you must be familiar with this type of attack as it is the most common. As it is evident from its name it tries out all combinations of plain-text passwords runs them through the hash function and matches the gibberish obtained with the different hashes that are contained in our text file. You must think that this will take a lifetime running all permutations through a hash function and then matching them with the text file, but what if I told you that the hacker has access to a high performance server through his computer and the server uses 4 of the latest NVIDIA graphics cards which gives it the ability to run 40 billion hashes/second. Now it has only become a matter of seconds. Now using a software called CUDA HashCat we can get started with cracking. So let’s say we have a file called test.hash containing all the hashes and we want to get all 7 character passwords with lowercase letters we run the following command.
```
./hashcat -a 3 test.hash ?l?l?l?l?l?l?l
```
a stands for attack, 3 is the attack mode i.e. brute force and ?l stands for lowercase letters and repeated 7 times means 7 lowercase letters. In a matter of seconds all the combinations whose hash matched those in test.hash will be displayed on screen. If we want to crack passwords with 6 lowercase letters and 2 digits in the end we have to write this
```
./hashcat -a 3 test.hash ?l?l?l?l?l?l?d?d
```
With the increase in the number of characters it slows down as the number of combinations increase which can be calculated as the number of characters in the character set to the power of the length of the password
```
First Example: 
Second Example: *
```
As the search base gets bigger it becomes harder to crack these passwords even for simple hash functions like MD5 or SHA1 in such cases brute force attacks are not feasible and we move on to Dictionary attacks.
Dictionary Attacks: We have a dictionary of commonly used passwords stored in a text file and we try those and match them to the hashes obtained from the site’s database. This is much more efficient than brute force. There is a password list called “rock you” which has a collection of millions of such passwords. Lets run such an attack.
```
./hashcat -a 0 test.hash ./dictionaries/rockyou.dict
```
0 stands for dictionary attack mode and we provide the path to our dictionary file. These attacks can be customized by applying a set of rules to the dictionary and then run the hashes. These rules are nothing but the usual variations that people try thinking that they are making their passwords more secure. It can be replacing I’s with 1’s or E’s with 3’s. Let’s say you have all your rules stored in a file called myrules.rule now if we run the attack using this file it will run a series of dictionary attacks applying one rule at a time to that whole dictionary. For that we need to run the following
```
./hashcat -a 0 -r ./rules/myrules.rule test.hash ./dictionaries/rockyou.dict
```

Choosing a strong passwords

Password Entropy:

‘un-brute-forcable’