Can your passwords withstand threat actors’ dirty tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defenses. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

The hardware for password cracking

The best teams equip their testers with world-class tools. After all, bad actors have invested a lot in the technology they use to attack you. Your testers should absolutely take the same approach. While there are many aspects to consider when building stronger overall security in your organization, one area where adversaries invest time and money is in having a frighteningly good password cracking infrastructure.

Believe it or not, attackers can buy off-the-shelf hardware that supports password cracking efforts. While there’s a small assortment of hardware vendors that cater to password cracking specifically, there’s a much larger segment that builds systems for AI/ML needs. This hardware serves mostly the same purpose: high-performance computers with beefy GPUs onboard that can facilitate massive parallel work efforts.

For example, for less than six figures, you can buy 2 or 3 4U rackmount servers with super-fast processors, gobs of RAM and SSD, and up to 8 Nvidia GeForce 3090 GPUs in each box.

This setup can run trillions of password guesses per second. Think about that: Trillions of guesses per second is so fast that that it can brute force every possible password candidate between one and eight characters — using any combination of uppercase, lowercase, digits, and special characters — in less than one hour. It can brute force passwords in the 9-12 character range too, if attackers just complement its speed with a few basic rules, masks, and dictionaries.

The home-grown setup I’m describing is more lethal to password security than you might think. In fact, this Frankenstein-like collection of hardware wouldn’t start showing any strain until it was going after passwords with 15+ characters. Even then, threat actors could still crack a decent share of passwords, given enough dwell time and contextual information from a compromised environment.

All sorts of password hashes can be subject to these types of attacks. Windows NT hashes (how your local Windows password is stored), web accounts, databases, file encryption, and even password managers are protected by password hashing.

So, that’s the bad news.

The good news? Hefty password cracking infrastructure, when used by pentesters (instead of real-world adversaries), can bring a ton of value and insight into your testing program. It can:

• Reveal flaws in your password security. Have you ever struggled to justify the investment in tech solutions such as multi-factor authentication (MFA)? If your bosses believe that user passwords are sufficient to protect user accounts and associated applications, pentesters can use password cracking to quickly prove them wrong. More to the point, by cracking your passwords, they can give you the documented proof you may need to convince upper management that MFA is an absolute necessity.
• Recover your passwords after an incident. In my own endeavors as a pentester, I’ve had engagements where clients have lost passwords to critical accounts because of an attack, as well as situations where a customer needed to open password-protected files left behind by an attacker. Having a pentesting partner on your side can help you in these types of tense situations, since password cracking enables recovery teams to accomplish tasks like this with unprecedented ease and speed. Think of this as the password security equivalent of fighting fire with fire.
• Provide insight into the psychology — and security risks — of poor password creation habits. Too many users choose passwords in several predictable ways. Lots of people fall into a common pattern of using seasons, places, and names. And you’d better believe your adversaries are gathering the very same insight. The more we know, the better we can help you educate your users and set smart policies to optimize password strength.

Of all the benefits you can gain from password cracking by qualified pentesters, one of the most dramatic is the long-term knowledge and insight it provides on how your adversaries behave. These insights can help make your organization stronger in the short term. In the longer term, these insights are how we can continually optimize better, more capable security solutions that serve the greater good of society.

Building and maintaining password cracking infrastructure isn’t easy. Pentesters creating these types of tools will face cooling and power limitations, vendor hassles, and even GPU shortages. It takes a lot of ongoing work to keep systems tuned and continually optimized to address ever-shifting hacking requirements.

But the hard work is ultimately going to be worth it – particularly for organizations needing blunt honesty when it comes to their password security. The more true-to-life your pentesters can behave when moving around your environment and the more skilled they are at breaching your environment, the stronger you’ll be if a bad actor should attempt to gain access.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.