one of the challenges with keeping a system secure is making sure that no one gains access to our authentication credentials this very often includes a username and most importantly a password this password is usually something secret and we want to be able to store this information in a way so that we can verify that the user really is typing in the correct password when they log in sometimes you'll run across an application that stores passwords in the clear this means this application is storing all of these passwords in a human readable form usually in one single file that's somewhere located in this application this means if an attacker does come across this file they'll have access to every username and every password for this application if you ever find an application that is storing information in this way it's always a best practice to either not use the application or find some other method for storing those password files this is why it's always a good best practice to never store passwords as their plain text format and to always use a format that would be very difficult for an attacker to be able to discover what that password happened to be and if you are using an application that is storing all of these passwords in a non-hashed in theclear method you should consider using a different application or finding a way to modify the current application to store this information securely this is where hashing steps in hashing is a way to represent data as a fixed length string of text you'll often hear this referred to as a message digest or very often as a fingerprint for example us humans could capture our fingerprint and someone else could be able to compare fingerprints to see if one of those happened to match me what you can't do is take that fingerprint and somehow reconstruct the individual it was associated with this works the same way with cryptography we can take a hash of a password and if we want to take another hash later to compare those hashes we would be able to determine if someone was using the same password one interesting characteristic of hashing is that different types of inputs will create very different types of hashes this allows us to have passwords stored in this hash form but have no way to tell how long that password is how complex the password might be or what the differences are between one password and another hashing is also not the same thing as encryption you can't undo the hash and somehow recreate the password the stored file or the video document this makes hashing a very useful way to store passwords because there's no way to look at the hash and have any idea what your password happened to be let's look at an example of some passwords and what the resulting hash is the hashing algorithm we're using in this example is Shaw 256 so you could try taking these same passwords putting them through a SHA 256 hash generator and you would come up with exactly the same hashes that I have here for example I took the password 1 2 3 4 5 6 and you can see the resulting hash for that password i also took the password of 1 2 3 4 5 6 7 and you can see that the resulting hash is very different than the one that was just one character off this is also an important characteristic of hashing that every password even if it's changed just a little bit results in a very different hash here's also the hashes for query you can see it listed out and the password for the word password and you can see that hash notice also that each one of these hashes is exactly the same length even though the passwords we used had a different number of characters you can view these hashes in your operating system if you know where to look i grabbed one of my Linux boxes and looked at the shadow file which contains all of the usernames the user ID numbers and the hash associated with each user's password this is obviously a protected file in the Linux operating system and not everybody has access to this information because if you know the hash there are things you can do to try to determine what the password might be i mentioned earlier that we can't reverse engineer a hash and somehow come up with the original data this is a one-way trip when we're hashing so one of the ways that we could take a hash and determine what the password might be will be to try every possible combination of letters numbers and characters and compare those combinations to the hash that we have currently stored we refer to this as a brute force attack as you can imagine going through every possible combination of letters numbers and special characters might take quite a bit of time and the longer the password the longer it takes to cycle through a brute force attack for that particular hash let's try a brute force attack against a hash to see what that might entail i have a single hash on the screen and currently we don't know what password is associated with that hash so we're going to start performing a brute force attack we know on this system that it can take a minimum of five characters as a password so we will start with the password a a a that's five characters of a and you can see the hash associated with five a's if we compare this with the hash that we've stored we can see that these are very different hashes so we know that the password associated with our hash is not a a aa let's try the next one in this list which would be a a a b and we'll get the hash we can see those don't match so we'll go to the next which is a a a c and compare those hashes and those hashes don't work either so we will continue going through this cycle of changing one character at a time to try to determine if we can find a matching hash eventually you will find a hash that does match we finally found one when we reached the ps combination and if we see the hash for the word password we can see that it matches the original hash therefore we've finally been able to perform a brute force attack and determine that our stored hash is for the word password depending on the system that you're using what you're searching for and the process that you're using to perform this brute force this could take a number of minutes it could take hours or it could take days if you were doing this interactively with an online brute force then you would manually type in a username and manually try a password you would perform this multiple times so you would log in with professor messor.com and try the password a aaa that didn't work so let's try the next one the professor messor login with the password of a aab that one did not work either and you continue cycling through until you find the right password the problem with doing this online of course is that most accounts are going to lock out after a small number of failed password attempts which means even if you do come across the correct password the system has already locked out that account and it will not tell you that you've actually found the right password this is why most attackers prefer an offline brute force attack once attackers gain access to that hash password file they can then download that file and begin performing an offline brute force attack this is much faster than performing an online brute force this allows them to calculate the password hash compare it to what is stored see if there's a match and if there isn't they can increment that brute force value and make another comparison this is obviously going to cycle through thousands and thousands of potential password attempts as we go through the process of trying to brute force just one single hash in that file so we can take that shadow file that I gathered from my Linux machine we can now see all of the hashes associated with these and now the attacker can sit offline and cycle through all of these in an attempt to determine what these passwords might be attackers can also speed up this process by using cloud-based resources where they can have multiple devices across many different locations all working together to try to reverse engineer all of these hashes instead of going through every possible combination of letters numbers and special characters why don't we focus on words that humans tend to use this will certainly speed up the brute force process because we're not checking every possible combination and we might actually run across some passwords because humans like to use words that we recognize we refer to this type of directed attack as a dictionary attack this is because we're using words that you might find in any type of dictionary you might also find custom word lists as well if you're trying to brute force passwords that are associated with a law firm or with a hospital you might want to use a dictionary attack that specializes in those types of terms some of these dictionary attacks can even enhance the search process by adding in or changing different letters as part of that dictionary attack so instead of using the word password of all characters it might automatically change the A to an amperand the O to a zero and so on this obviously still takes time to go through the brute force process but we're obviously using a much smaller group of words to be able to brute force this speeds up the overall process and might give you a large percentage of passwords if you have users that like to use passwords with letters and numbers or jumbled up phrases then a dictionary attack probably is not going to identify those specific passwords but if you have people using a password like ninja that's a very easy one to find in a dictionary attack the same thing applies to passwords such as dragon football let me in or the password of password although passwords do provide a very useful factor during the authentication process you can see now why we might want to add additional factors along with our username and password