Create a Simple Brute-Force Password Cracker in Python

Introduction

In today’s digital age, securing our online accounts is more important than ever. One crucial aspect of this security is password hashing. Password hashing transforms your plain-text password into a fixed-size string of characters, which makes it difficult for attackers to retrieve the original password even if they gain access to the hashed data. However, it’s essential to understand that not all hashing methods are foolproof, especially against brute-force attacks.

In this article, we’ll explore password hashing, demonstrate a simple Python password cracker (that uses brute-force technique), and understand why strong passwords are essential. Remember, this is for educational purposes only and should not be used for any unethical activities.

Recommended: Create a Strong Password Generator in Python

Important Note

This tutorial is intended for educational purposes and aims to provide a better understanding of password hashing and brute-force attacks. It is a part of Cybersecurity Education and does not promote or condone any unethical or illegal usage of the knowledge shared here. Always use your skills responsibly and ethically.

What is Password Hashing?

Password hashing is a one-way cryptographic function that converts a plain-text password into a fixed-length string of characters, typically using algorithms like SHA-256, bcrypt, or Argon2. Unlike encryption, hashing cannot be reversed. The primary goal is to store passwords securely, so even if the database is compromised, the attackers can’t easily retrieve the original passwords.

Understanding Brute-Force Attacks

A brute-force attack is a method where an attacker tries every possible combination of characters to guess a password. While it’s a straightforward approach, its feasibility depends on the password’s length and complexity. Longer and more complex passwords exponentially increase the time required for a successful brute-force attack, thus enhancing security.

A Simple Brute-Force Password Cracker in Python

To illustrate how a brute-force attack works, we’ll create a simple Python program. This program will hash a given password using the SHA-256 algorithm and attempt to crack it by trying all possible combinations of alphanumeric characters up to a certain length.

import hashlib
import itertools
import string
import time

def hash_password(password: str) -> str:
    # Hash a password using SHA-256
    return hashlib.sha256(password.encode()).hexdigest()

def brute_force_crack(hashed_password: str, max_length: int) -> str:
    chars = string.ascii_lowercase + string.digits
    for length in range(1, max_length + 1):
        for guess in itertools.product(chars, repeat=length):
            guess_password = ''.join(guess)
            if hash_password(guess_password) == hashed_password:
                return guess_password
    return None

def main():
    # Define the target password and hash it
    target_password = "abc123"  # You can change this to any short password
    hashed_password = hash_password(target_password)
    
    # Print the hashed password
    print(f"Hashed password: {hashed_password}")
    
    # Start the brute-force attack
    max_length = 6  # Limit the scope to short passwords
    start_time = time.time()
    cracked_password = brute_force_crack(hashed_password, max_length)
    end_time = time.time()
    
    # Display results
    if cracked_password:
        print(f"Password found: {cracked_password}")
    else:
        print("Password not found within the given length limit.")
    
    print(f"Time taken: {end_time - start_time:.2f} seconds")

if __name__ == "__main__":
    main()

Explanation of the Program

1. Hashing Function:
   • The ‘hash_password‘ function takes a plain-text password and returns its SHA-256 hash. This is the first step in securing passwords before storage.
2. Brute-Force Function:
   • The ‘brute_force_crack‘ function attempts to find the plain-text password by generating all possible combinations of lowercase letters and digits up to a specified length. It then compares the hash of each combination to the target hash.
3. Main Function:
   • The ‘main‘ function defines the target password, hashes it, and starts the brute-force attack. It also measures the time taken to crack the password.

Output

Hashed password: 6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
Password found: abc123
Time taken: 68.11 seconds

Results and Importance of Strong Passwords

As you notice in the output, short passwords can be cracked relatively fast. For example, a 6-character password consisting of lowercase letters and digits might be cracked in a matter of seconds. However, as the length and complexity of the password increase, the time required for a brute-force attack grows exponentially.

This highlights the importance of using strong, complex passwords. A strong password typically includes:

• A mix of uppercase and lowercase letters
• Numbers
• Special characters
• A minimum length of 15 characters

Visit Also: Create an Advanced Port Scanner using Python

Summary

In this article, we demonstrated the critical concepts of password hashing and brute-force attacks through a practical Python password cracker example.

We learned how password hashing secures your plain-text passwords and the importance of understanding brute-force attacks for cybersecurity education. We demonstrated the limitations of short and simple passwords that highlighted the importance of using strong, complex passwords to enhance online security.

Remember, this tutorial is designed for educational purposes only, emphasizing the ethical use of cybersecurity knowledge.

Got questions? Feel free to reach out at contact@pyseek.com. Happy Coding!