Password Cracking in Facebook: How Far Perfect?


Did you know that most users create violable passwords in minutes? The following application, created in jQuery, is designed to evaluate the strength of a password. Instant visual feedback provides the user with a means of improving the robustness of their password. Does your keyword comply with security criteria? To facilitate understanding of the test, we have fully translated it into Italian. Now you can verify your passphrase through a visual evaluation of its strengths and weaknesses. So how to hack a Facebook account? Find your options with Siczine.

Notions, algorithms and brute force

It is useful to know that a facebook’s passwords are stored in an encrypted database and in some cases it is possible to compromise their security by obtaining the hashes through an SQL-Injection attack. The above is more valid if the passwords in question undergo the encryption process through a common MD5 or SHA1 function. The hashing process is irreversible and the obtained string cannot be traced back to the original data, even if today’s cracking can make use of the help of the rainbow-tables, the linked site contains about 124 billion terms, that is, gigantic collections of pre-calculated hashes available online. To avoid this type of attack, the use of salt has been introduced, a pseudo-random datum used by the server before encryption. With this expedient, the encrypted password gives different values ​​every time even if starting from the same term. 

In summary, this algorithm reads the keyword chosen by the user adds a pseudo-random value the salt and encrypts the password irreversibly. In this way the Rainbow-tables attack becomes unsuccessful and it is necessary to resort to brute force or dictionary attack. Like Facebook, this blog also implements this algorithm.

You can learn more about this interesting topic by reading the article entitled Password hash attack. The next script we calibrated to calculate how long it would take an attacker, exploiting the brute force attack, to violate your Facebook account, assuming absurdly that he got access to the database, that he has the salted hash in his hand of your password the encrypted data and that it can attempt two billion of combinations per second. 

One of the most common and most used passwords in the world in 2013 was the word password1 and to break it in the supposed scenario, it would still take 13 hours and 54 minutes. Obviously mine is a surreal hypothesis and the reality is quite another. 

Keep in mind that today to try 10 consecutive passwords on Facebook servers, it takes about 10 seconds using a Python script, after which the security measures that block any attempt to access the system for a few minutes are triggered and to continue you must enter a captcha code. If the access approval setting is active on the account to be forced, even if you were able to trace the password, all the work would be in vain, since a temporary 6-digit security code would be required for access to the account from an unknown browser and would be sent to the victim’s cell phone.