https://themarkup.org/newsletter/hello- ... rd-cracker
Gosney: Typically, when we talk about password cracking, we’re talking about offline password cracking, which is where someone has obtained a copy of a password database. The passwords in the database are almost never in plain text (text humans can read with their eyes). They’re scrambled using what’s called a hash function. The only way to crack a password is essentially to play a guessing game, where you run password guesses through the same hash algorithm that was used to produce the hashes in the database, and you compare the results. If you end up with two hash values that are the same, then we know what the password was. There’s also online password cracking, which is where someone is either typing into a log-in field to manually guess passwords, or they’re using a computer program to automatically try values in that form field.
We focus on offline cracking, where someone has a copy of the password database, and it doesn’t mean they’ve obtained this illegally. Some people, like the information security team of a corporation, will intentionally try to crack the corporation’s passwords to test the effectiveness of their corporate password complexity policy. They want to identify the weak passwords before a malicious actor can. Another legitimate case for password cracking is if someone in accounting encrypted a spreadsheet and then got hit by a bus and other employees needed access to that document. The enterprise might attempt to crack the password for the document or hire someone like me to do that. There’s a plethora of legitimate use cases...
