Password Security, Threats and Measures

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


This documentation provides an overview of the threats to passwords and the security measures taken against them. Furtheron, this article provides a presentation on how to crack a password with the pentesting tool "John The Ripper".

Password Security

Passwords are the most used authentication method. Therefore, the security of a password is of significant importance. The strenght of a password can be measured through the quality of the password or its entropy. Besides the quality and entropy of a password, factors like personal data or known passwords have to be considered.

The quality of a password is described as the time it takes to crack a password using the trial and error method. Passwords which take longer to crack are considered to be of higher quality. The entropy of a password is described as the randomness and unpredictability of a password. The entropy of a password can be impacted through factors like the length and character set size.

Password Managers

Password managers can store the passwords, guide the creation and provide security when sharing passwords. Password managers can include aid in the cases of long, complex and important passwords as they store the passwords of the user and provide a certain level of security. These managers often consist of several authentication steps in order to achieve this certain level of security. The functionality can differ as there are different types of managers.

Types of password managers:

  • Cloud-Based Password Managers
  • Local Password Managers
  • Browser-Based Managers
  • Enterprise Managers
  • Hardware Password Managers

Vulnerabilities and Threats

Passwords are mostly created by humans and are therefore a subject to vulnerabilities. Humans seek simplicity and comfort and they try to create easy to remember passwords. They often use personal information in order to provide a memorable word. Most of them use the same passwords on multiple websites and neither do they change them frequently. Close to two thirds of users do not use special characters in their passwords.

These factors create many vulnerabilities as they make the passwords predictable, of low quality or entropy and therefore easier to crack.


These weakly created passwords are often the victim to different threats. Most of these threats require some sort of fraud or deception.

Some of these threats are:

  • Phishing

Is trying to gain login credentials by impersonating a person or faking a website.

  • Keylogging

Is recording the keystrokes which a user puts in.


These attacks vary and can be successful at compromising the victims password. Different attacks require different computational power, memory and time when cracking passwords.

Some of these attacks are:

  • Brute-Force and Dictionary Attacks

Trying to guess the password or using wordlists.

  • Rainbow-Table Attack

Hashing a password over and over again in order to gain the same hash as the victim password and then reconstruct the plaintext password.

Security Measures

In order to prevent attackers from gaining unauthorized access, developers have came up with different security measures. These measures can provide further steps of authentication and achieve more security.

These are some security measures which can help to withstand most of the named threats:

  • Two-Factor Authentication

This measure requires and additional step of authentication on system access.

  • Security Questions

Security questions also require an additional step of authentication by requiring the answer to personal questions.

  • Account Policies

Account policies force the user to frequently change the password or to lock the account if the password is entered wrong multiple times.

  • Activity Monitoring

The monitoring of suspicious activity like a login attempt of a new devices can alert the user to pay attention to a certain account and maybe change the login credentials.

Password Cracking Tools

These are only some of the cracking tools which can be used to attack a victims account:

  • John The Ripper

Supports brute-force and dictionary attacks. This tool will be used later in this documentation to present a password cracking process.

  • Hashcat

Offers brute-force, dictionary, mask attacks and more.

  • OPH Crack

Implements the rainbow table attack.


  • Operating system/Platform: Kali Linux
  • Packages: git openwall/john

Cracking a password

The following steps are necessary in order to crack a password. Kali linux is used as the operating system as it provides different cracking tools and more. The used tool for this crack process is "John The Ripper".

  • NOTE: Password cracking is unethical. This demonstration serves for educational purposes and should not be recreated.

Step 1

Create a .zip password secured archive.

sudo apt-get install zip
sudo nano document.txt
zip -e document.txt

You will be prompted to enter a password.

Step 2

Now the hash of the password needs to be achieved.

zip2john > hash.txt

This command saves the hash of the password which is used to secure the archive in a hash.txt file.

Step 3

Now the hash can be cracked. The crack is only successful if the password is in the password list that john uses to compare the hashes.

john hash.txt

The passwordlist in this case is the default password list of john. However, different password lists can be used by specifying the file they are saved as.

john --wordlist=/tmp/password-list.txt hash.txt

This way john will try to crack the password with the password-list.txt password list file.

  • In the case of a successful attack, john will provide a confirmation message about the successful attack and display the password.