Connect with us

Hi, what are you looking for?


Incident Response

Combating Password Cracking Tools in the Enterprise

Mitigating Password Cracking

Report Highlights Need for Enterprises to Implement Proper Password Security Policies and Procedures, Treat as Highly Valuable Data.

Mitigating Password Cracking

Report Highlights Need for Enterprises to Implement Proper Password Security Policies and Procedures, Treat as Highly Valuable Data.

Imperva, the data security company that recent went public, today released a report detailing the growing level of information and tools available to help hackers breach passwords, and some of the things organizations can do in order mitigate the effectiveness of password crackers.

The report, “Imperva Enterprise Password Worst Practices,” follows a 2009 report from the company on poor consumer password practices.

As part of its research, Imperva analyzed a list of nearly 100,000 passwords that were exposed following a data breach at, a website for film enthusiasts.

What did they learn? First off, FilmRadar had stored user passwords in a digested format, using the SHA1 hash function, a common method used to secure applications and protocols. But according to Imperva, storing user passwords in this manner isn’t enough.

“Contrary to common belief, cryptographic hash functions in general – whether they are SHA-1 or any other cryptographic function – are not impervious to hackers,” the report notes. “The strength of a hash function, even if mathematically proven to be unbreakable, does not play a role in the cracking game.” The security function or algorithm itself doesn’t matter so much, as attackers can bypass the cryptographic measures and guess the hashed passwords.

Storing Passwords Best PracticesHow is this done? Attackers often use two common techniques in their quest to crack passwords: Rainbow tables and Dictionaries.

Rainbow tables are precomputed sets of data containing hash values from many combinations of alphanumeric characters. Although creating the rainbow tables is a lengthy process, they are created only once. When a hash value is obtained it can be quickly looked up in the table to find the corresponding password. Easy right? Yes and no. As the length of passwords grow, the process and computational power becomes increasingly difficult.

Advertisement. Scroll to continue reading.

But hackers believe firmly that creating such tables are a worthwhile investment, since after the rainbow tables are generated they can be used over and over again. In its research, Imperva identified a hacker website that developed a 50 billion value rainbow table and made it available to the public.

Password cracking tools that make use of rainbow tables and dictionaries are abundant, with most available free for anyone to download. Some popular cracking tools include MD5 decrypter, Cyberwar Zone, Cain and Able, and John the Ripper.

Dictionaries. About as simple as it gets, password dictionaries list common passwords together with a pre-calculated hash value. Using the data, a hacker can compare a digest with the pre-computed values to determine a match. Dictionary attacks continue to be an effective technique to crack passwords since many people have the tendency to use common passwords.

While many consumer-oriented websites have been the subject of recent cyber attacks, including the likes of FilmRadar.Com, RockYou.Com, Sony, and many more, Imperva thinks its time for more enterprises to get more serious about password protection and treat passwords as as highly valuable data.

“Instead of consumers, we believe responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline,” explained Imperva CTO Amichai Shulman.

So what can site owners do to mitigate the effectiveness of password crackers?

To help protect against rainbow table attacks, Imperva recommends “salting”. A salt value is a random value pre-pended to the password before it gets encrypted. How is it effective? The added value increases the computational resources required to break the passwords exponentially. According to Imperva, a salt of just a three bit length increases the storage and pre-computation time of rainbow tables eightfold.

It’s important to know that “salting” by no means makes passwords hack-proof, it just increases the resources required to guess a password.

Other steps that Imperva recommends enterprises undertake in order to mitigate password breaches include:

Using passphrases: Allow users to choose longer passwords that are easier to remember. Passphrases provide the necessary length yet do not require the user to write down the secret on a note left on the worker’s desk.

Enforce strong password policy: This doesn’t mean just applying restrictions on the character types, but also by comparing against dictionaries used by attackers. Microsoft recently banned the usage of common passwords in Hotmail. This also means defining and banning site-specific passwords, as well as banning numerical or keyboard sequences.

While passwords are a common and convenient authentication method, when stored incorrectly they can cause many headaches in the event of a breach. Passwords in the enterprise need to be treated by developers and security teams as highly valuable data – even if other security mandates such as PCI compliance don’t apply.

The full report from Imperva is available here in PDF format.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...