A sad start
Just before Christmas one of my colleagues, Ken, received the sad news that a father of a friend had passed away. He was a tech-savvy gentleman and had invested in smart tech to make his and his family’s life easier and, just as we recommend, he used strong and unique passwords everywhere. He stored all his passwords in an encrypted Excel spreadsheet… the only issue was that none of his family knew the password. They were locked out of everything
Due to my experience with running the password auditing service, Papa, Ken asked if I could crack the password on the Excel spreadsheet, and of course, I was happy to help.
What did I do
I used the office2john Python script to extract the hash from the Excel file so that I could use Hashcat on our most powerful password cracking server.
I started with some brute forcing up to 9 characters before moving onto trying several dictionaries with multiple rules. Nothing worked. It wasn’t a simple password.
The family suggested words that he may have used, and I tried many combinations of these to no avail. I left some brute force tasks running over the weekend before Ken let me know that the family had noticed some common formats to the passwords that he used. This is key. If you know the format of a password, then it can become trivial to attack. In this instance, the format was <word><number><exclamation><word>. That explained why the dictionary attacks with rules and the brute force attacks were failing.
Hashcat limitations
Unfortunately, Hashcat can be quite limiting in the attacks it can perform. It’s not possible to simply put that format into Hashcat and let it run. I had to create a custom dictionary from around 80,000 English words and then add digits and an optional exclamation character to each word. I could then use the Combinator attack in Hashcat to combine this custom dictionary with my original list of 80,000 English words. On the command line, that looks something like this:
hashcat -m9800 -a1 excel.hash wordsAndNumbers.txt english-88k-upper.txt
It’s a lot of combinations and most people would think that would be uncrackable within reasonable time, but when you have a password cracker that’ll crack more than 10 billion hashes per second, the password was cracked in under a minute! Whoop! He had used a 13-character password with a mix of character classes. The only weakness was that it contained two dictionary words which significantly reduced the strength.
This is why we don’t recommend mandating a password format for our customers such as ThreeRandomWords. It’s fine for online accounts which are subject to an account lockout policy, but for anything which can be attacked offline, or a compromised database, they are not secure. The important considerations are length and not using dictionary words. Of course it’s a bit more complicated than that, and there is a whole other blog on password policy guidance.
Make plans
It’s not a subject that comes up often in the IT world but ensuring the services and hardware you’ve been responsible for can be manged by someone else is important. Make sure your next of kin has access to everything they might want access to. Your phone and tablet, laptop, Bitlocker password, password manager password. Critical services such as house control, domain registrar, finance, and insurance. Even if they are in the password manager too.
Like many techies I run a home lab… well actually my whole home is the lab! I went overkill on a Ubiquiti network stack with 10 VLANs, multiple switches, 2 internet connections, and a Proxmox cluster on 25Gig fibre. Home Assistant controls everything – including physical access. I prefer to learn by doing and the only thing that will stop me now is the price of RAM!
My Wife relies on me to keep that running. When I’m not here, she needs that to just work, and that’s why I have an arrangement with my techie friend, Scott. He’s kindly agreed to simplify the network, rip out Home Assistant, and he gets to keep everything he removes! My passwords to everything are written down, secured, and accessible to others. It’s become an important part of estate planning.
A bittersweet end
The family were relieved and grateful that we had cracked the password to the spreadsheet, and they now had access to critical infrastructure and accounts. It had only taken a powerful server and more electricity than a house uses in a week, but we got there, and we were happy to have helped a family at a very difficult time at Christmas.
