Cracking more password hashes with patterns

Tatli E. I.

IEEE Transactions on Information Forensics and Security, vol.10, no.8, pp.1656-1665, 2015 (SCI-Expanded) identifier identifier

  • Publication Type: Article / Article
  • Volume: 10 Issue: 8
  • Publication Date: 2015
  • Doi Number: 10.1109/tifs.2015.2422259
  • Journal Name: IEEE Transactions on Information Forensics and Security
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus
  • Page Numbers: pp.1656-1665
  • Keywords: Password security, authentication, data security, dictionary attacks, hash cracking
  • Istanbul Medipol University Affiliated: Yes


It is a common mistake of application developers to store user passwords within databases as plaintext or only as their unsalted hash values. Many real-life successful hacking attempts that enabled attackers to get unauthorized access to sensitive database entries including user passwords have been experienced in the past. Seizing password hashes, attackers perform brute-force, dictionary, or rainbow-table attacks to reveal plaintext passwords from their hashes. Dictionary attacks are very fast for cracking hashes but their success rate is not sufficient. In this paper, we propose a novel method for improving dictionary attacks. Our method exploits several password patterns that are commonly preferred by users when trying to choose a complex and strong password. In order to analyze and show success rates of our developed method, we performed cracking tests on real-life leaked password hashes using both a traditional dictionary and our pattern-based dictionary. We observed that our pattern-based method is superior for cracking password hashes.