In the vexing pursuit of passwords that are both easy to remember and hard to crack, many people embed clues into their login credentials, choosing for instance, "playstationplaystationdec2014" to safeguard a recently created gaming account or "L0an@ w0rk!" for an IT administrative account at a financial services company. Now, a whitehat hacker is capitalizing on the habit with a tool that automates the process of launching highly targeted cracking attacks.
Dubbed WordHound, the freely available tool scours press releases, white papers, and Twitter accounts belonging to companies or sites that have recently suffered security breaches. The software then generates a list of commonly found words or phrases that attackers can use when trying to convert cryptographic hashes from compromised password databases into the corresponding plaintext passcodes. The tool, devised by security consultant Matthew Marx, was unveiled Wednesday at Passwords 14 conference in Las Vegas.
"People are influenced greatly by their environment when choosing a password," Marx, who works for consultancy MWR Info Security, told Ars. "It could be a work environment, their personal life, or the sport teams they like. I wanted to create a tool that leveraged this human vulnerability."
As Ars has documented before, crackers have an arsenal of techniques for guessing plaintext passwords when conducting offline cracking attacks. Key among them is a word list that contains anywhere from tens of thousands to hundreds of millions of base words. A variety of programming "rules" can then extend the reach of those lists. A "combinator" attack, for example, combines two or more words in the list to generate guesses such as "correcthorsebatterystaple." A hybrid attack, meanwhile, marries a standard word attack with a brute-force attack to catch passwords such as "hippopotamus9999."
But there's a limit to the tricks crackers can employ. Combinator attacks come at an exponential cost, meaning combining two words in a cracking dictionary squares the number of guesses, while combining three, four, or five words raises the power to three, four, and five respectively. Hybrid attacks can also add prohibitive burdens. People often take advantage of this limitation by choosing passwords that string together words that have relevance to their personal lives or the accounts being secured. The strategy is a bet that passwords such as "ghostrecon76", "playstationplaystationdec2014", "darksniper90", or "shadowassult9" may be easy for the account holder to remember but still provide enough complexity to evade generic password cracking attacks.
WordHound is aimed at countering this technique. Attackers can use it to crawl the website, Twitter accounts, or other online resources associated with the site or company that leaked the password hashes. The tool then builds a list of frequently found words that crackers can subject to extra scrutiny in an attempt to crack passcodes made up of memorable words that are obscured by combinations, numbers added to the end, and substitutions such as "@" for "a" or "3" for "e." Instead of running all tens of thousands or hundreds of millions of words through an especially long list of rules—an endeavor that might take a week or more to complete—WordHound allows crackers to save those techniques for only a small set of base words that are most likely to be used by attackers.
"There are some attack techniques that when coupled with complex rule sets provide computational demand that even really big rigs can't handle easily," Marx said. "If you're combining words in an English dictionary, that's huge."
Typical cracking attacks will recover a large number of passwords in early stages. Once the low-hanging fruit such as "1234567", "P@ssw0rd1", and "letmein" are found, crackers often move on to more advanced techniques, such as the combinator or hybrid attacks mentioned earlier. Another technique even involves pulling long phrases from the Bible, Twitter, or YouTube. WordHound belongs in this group of more advanced tools that are employed once easier passphrases have been cracked and attackers are looking for new sources of password guesses.
Most of the password examples included in this post were recovered by Marx using WordHound. "L0an@ w0rk!" belonged to an IT administrator from a financial services company. Others, including "playstationplaystationdec2014", "ghostrecon76", "darksniper90", and "shadowassult9", all from the recent compromise of Battlefield.
There's no perfect strategy for choosing and managing passwords, but Ars has long advised readers use long, complex passcodes that are randomly generated and stored using a reputable password manager. A detailed how-to is here. While password managers are also subject to attacks, they bypass a key pitfall, which is the inability of most people to come up with passwords that can't be guessed by determined attackers.
"People aren't capable of perfect entropy," Marx said. "When you ask them to generate a random password, there's no such thing."
By Dan Goodin