Just to don't talk only about failures, let's have a bit of fun with password cracking (can't wait, uh?).
In my last group project I have to deal with hashcat to crack hashed passwords but, most important, I had to understand how a good Open Source INTelligence (OSINT for friends) activity can make a significant difference in this activity.
First step: thanks to a cool Python script designed by my good friend Dogan, we've generated 1000 fake profiles with relative passwords hashed with the SHA-512 algorithm.
Then, using a tool called PassGPT we've obtained a first wordlist to try to crack the passwords. In this screenshot you can see the results:
So, basically just 12 passwords were discovered. Promising, but yet non satisfactory.
Second step: we've decided to include rockyou, a list of over 14 million plaintext passwords from the 2009 RockYou hack (more info on this here. But...
Another pass bites the dust.
Third step: at this point we've used a wordlist based on the personal information of the profiles and...
BANG! All passwords cracked.
So, what can we learn from this?
- Ensure your password are a robust mix of randomness and length (as you can learn from the amazing comic in the cover image provided by xkcd
- Passwords alone are not sufficient; always utilize Multi-Factor Authentication (MFA) to secure your accounts, especially for sensitive corporate information. Always remember: don’t be the weak link that could lead to significant security setbacks. If you can find the complete project here (yeah, I know, hash_and_crack it's a great name).
On the bright side: I've just passed my SC900 exam (the terribly boring Microsoft certification on Security, Compliance, and Identity)
On the flip side: I'm still looking for a job, an internship or anything that can help me gain real-world experience
But hey, I've also reached my 4 kyu rank on Codewars!
Something to read: Kate Beaton - Ducks
Something to listen to: Totorro - Sofa So Good
Something to watch: Paying for It
Top comments (0)