Visualising password cracking

Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. As a topic, password cracking remains a major focus of security researchers in the area of usability and security. The time to crack a password is related to bit strength, which is a measure of the information entropy of the password. Most methods of password cracking require the computer to produce many candidate passwords, each of which is individually checked. The range of tools available for cracking password are complex because the selection of the tool is intricately connected to the social context and the focus of use for each password. One example of password cracking is ‘brute-force’ cracking, in which a computer tries every possible key or password until it succeeds. More common methods of password cracking, such as ‘dictionary attacks’, ‘pattern checking’, ‘word list substitution’, and others, attempt to reduce the number of trials required and will usually be attempted before brute force is decided upon. Higher password bit strength increases exponentially according to the number of candidate passwords that must be checked, on average, to recover the password and re- duces the likelihood that the password will be found in any cracking dictionary. Using a ‘leaked’ list of fourteen million passwords from the RockYou website, we explored a number of approaches, in order to gain better understanding of such bigger data sets and how they may be interpreted. These tests focussed on visualising processes through which it might be possible to crack passwords and demonstrated the complexity of tools involved in one single attack goal. In this context the focus is on the potential of such visualisations to inform about social practices in connection with password usage, not only the user of the TREsPASS tools but also a broader audience, and thus to create a critical awareness of how to improve password-related practices. By default, a contextually thin dataset can still feed into the research of wider social patterns, even social trends.

Flows that show the amount of generated guesses on leaked hashes (shown as a grey gradient). This allows for visual approximation of the efficiency of each rule. The elements in this figure consist of the word list (on the left), a rule set (in the middle) and the passwords that can be cracked by applying the various rule sets (right).
Flows that show the amount of generated guesses on leaked hashes (shown as a grey gradient). This allows for visual approximation of the efficiency of each rule. The elements in this figure consist of the word list (on the left), a rule set (in the middle) and the passwords that can be cracked by applying the various rule sets (right).

Visualisations can be used to abstract the different cracking method types into technique groups and to align and compare the technique groups. Such visualisation techniques therefore combine abstraction with the use of different views to reduce the complexity and improve the cognitive load for the viewer. As an example, the figure above shows different ‘rules’ modifying dictionary words to reach observed passwords. The colour of the flows highlight nicely which rules are most successful in identifying passwords, thereby informing users about the most common rules that therefore rather should be avoided when creating new passwords. Although passwords are a contextually thin material to work with, it is still possible to distill a context from them. It is possible to derive abstractions from them and to then use a large amount of this data to determine contextual patterns. In this particular case, the fourteen million password list was mapped against the categories inside of Wikipedia. Each found word, fits in a certain category, and that category is often again to be found in another category. In this way, it is possible to visualise which types of passwords people choose over certain times.

Visualisation of a first ontology of 14 million passwords. Each password in the list was mapped against all categories of Wikipedia, recursively, to build this ontology.
Visualisation of a first ontology of 14 million passwords. Each password in the list was mapped against all categories of Wikipedia, recursively, to build this ontology.

 

Detail of the previous figure.
Detail of the previous figure.

It will also possible to use similar techniques in order to build ontologies, that can for instance be used to automatically detect actions, locations, or assets in the Attack Navigator, and thus to figure out its own context. This is one way in which visualisations can use the information that they convey to structure a general framing of analysis.

Download PDF for all visualisation experiments on cracking passwords.