A new technique could supercharge law enforcement’s ability to crack passwords in offline investigations.
Digital forensics laboratories often struggle to get the information they need from devices they’ve taken into custody, in large part because users craftily hide their information behind passwords and pincodes.
Cracking into phones, tablets, or computers is vital to law enforcement seeking key evidence to convict criminals, but thanks to those passwords, it can sometimes take months or years to get.
Locked behind walls of encryption could be vital evidence like hidden messages, incriminating photos, or traces of criminal networks. Every second lost to sluggish password-cracking tools gives suspects a head start. But a team of researchers believes they’ve found a way to accelerate the process dramatically, making forensic password recovery not just faster but potentially game-changing.
A study by cybersecurity experts at the University of Plymouth and Jönköping University has shown that smarter rule sets for cracking passwords can reduce computational effort by up to 40%. Using real-world datasets and forensic-grade software, the researchers proved that by reordering the rules forensic tools use to guess passwords, they could drastically reduce the number of iterations needed to unlock protected files.
Switching the order
Traditional methods of cracking passwords are tricky to utilize, partly because they can trigger automatic locking mechanisms if the wrong password is guessed too often. Pre-existing tools like the Password Recovery ToolKit (PRTK) rely on rule-based attack, which is an enhancement over brute-force methods, to make educated guesses about passwords.
But those rule-based attacks, which tweak dictionary lists, adding numbers, capital letters, or symbols in likely patterns to mirror human password habits, still aren’t the best way.
The breakthrough in this study came from reordering those guesses in those rule-based attacks to prioritize the most statistically likely patterns. Tested across three major leaked password datasets, the new method consistently matched the same number of cracked passwords as default tools, but with up to 302 hours of computing time saved in larger datasets. In practical terms, that’s days shaved off criminal investigations.
The method also works against cannier users who recognize the risk of using common passwords and simple ways of changing them. The researchers also looked at how well the approach worked against the UK’s National Cyber Security Centre’s (NCSC) recommendation for people to use three random words as passwords, which is a user-friendly approach intended to balance memorability with security.
Cracking complicated passwords
Although three-word passwords fare better than many traditional formats, they remain vulnerable to the new technique, especially when users stick to common words. Tested against a dictionary containing just 30% of the most frequently used English words, over three-quarters (77.5%) of three-word passwords could be cracked. Even at the lower threshold of 10% of common words, nearly one in five passwords were obtainable.
The findings are positive and negative for investigators – and in equal measure. On one hand, public guidance like the NCSC’s can unintentionally make password behaviour more predictable, aiding forensic efforts. On the other hand, attackers can exploit the same patterns, widening the threat landscape.
“Password policies have a dual impact,” the authors write, “enhancing security for users, but also shaping attack strategies for both good and bad actors.”
The authors suggest that future work in the space should explore how organizational and national cultures influence password choices.
They also believe that AI-driven methods should be used to keep pace with evolving password behaviors, making sure that they’re always within reach of being cracked by law enforcement, while those of us who mean no harm remain secure.
Your email address will not be published. Required fields are markedmarked