A STEGANOGRAPHIC APPROACH TO

MITIGATE PASSWORD ATTACKS

Isha Pandya, Surmeet Jhajj and Renuka Pawar

Department of Information Technology
Sardar Patel Institute of Technology
Mumbai, India

Abstract—with the advancement in cyber security, message before sending to the destination without need of
attacks on passwords are also becoming advanced and carrier or cover medium. Given that the images are stored in
industrial espionage poses one of the greatest danger to the form of their RGB pixel information, altering a few bits
business these days. Critical corporate information gets to store the desired message does not result in much changes
on stake with the password of system falling into wrong in the image. Moreover these changes are inconceivable to
hands. With many tools and tables available to break human eye. Steganography basically contains a carrier file
preliminary security levels, stress is laid on multilayered which acts as the disguise; it could be an image, text or even
security for storage and communication of enterprise's an audio file. This carrier file contains the actual message
delicate information. In this paper, we analyse two hidden in it.
popular password attacks based on the time needed to The remainder section of the paper is outlined as follows.
crack them. We then propose a solution which uses Section II, provides an overview about the methods of
steganography (text and image) to store the password storing passwords and authenticating users on Linux and
and user account information which adds additional Windows systems. Section III describes the password attacks
layers of security. in detail and provides an analysis of password cracking
techniques. Section IV outlines the current solutions that are
Keywords—authorization; passwords; intrusion; security; suggested to protect passwords. In Section V, we elaborate
steganography on an architecture which uses steganography to enhance
protection . Section VI & VII concludes the paper with
I. INTRODUCTION further scope of the proposed solution.
The process of guessing or recovering a password from
stored locations or from a data transmission system is called II. PASSWORD STORING MECHANISMS IN WINDOWS AND
Password cracking [1]. Various techniques such as Brute LINUX
force attack, Dictionary attack, Hybrid attack, Rainbow
table attack, Smart brute force attack etc. may be used to A. Password storing mechanisms in Linux
crack passwords. A Brute force attack tries several values Initially, UNIX passwords were stored in a file called as
for the given password whereas a Dictionary attack, tries all /etc/passwd. However, this file is easily accessible to users
the words from an exhaustive list [1-3]. Multiple solutions, and any user in the system may read sensitive data like user
such as Using unique, complex, long and alpha-numeric passwords. As a solution to this problem, Shadow Utils is
passwords, have been discussed in [3] regarding protection used. It is a default package which separates passwords from
of passwords from various password attacks. However, it is /etc/passwd. Passwords are saved in the /etc/shadow file
difficult to remember long and complex passwords, which is only accessible by root user.
encouraging most users to not follow these suggestions. In Below is the format in which entries are stored in the
this paper, we have proposed a architecture which targets to password files :
improve the way passwords are stored on machines in order
to enhance the security of passwords. root:$1$Jtg6EyUZ$D9MTP7ombfhKIlqaNMqnf1:15731
The proposed architecture is based on the concept of :0:99999:7:::
Steganography, which is the technique of concealing
messages in text or pictures. Even though cryptography is Understanding every field of that output, that are separated
based on similar lines, Steganography is different from by a ":".
cryptography [4-5]. Steganography hides the messages 1. The first field is the USERNAME
inside the cover medium whereas Cryptography encrypts the 2. The encoded password is shown in the second field

978-1-5090-6367-3/17/$31.00 ©2017 IEEE 248

3. The third field is the day's since the UNIX time that The /etc/shadow/ and /etc/passwd files do not store the
password was changed. actual password, but the hashed value of the passwords.
4. This field specifies how many days you can go without These Hashes may be computed using multiple hashing
changing your password. algorithms such as MD5 [6-7]. They are one-way hashes i.e.
5. This field gives the number of days after which it is there is no way to reverse these hashes to obtain the plain-
mandatory to change the password. text password. Hence, password matching is done by
6. This is the number of days before which the user starts generating a hash for the entered password and comparing it
getting warning to change password before it expires. against the password hash stored at the corresponding user’s
7. This field specifies how many days after the password has entry in the /etc/shadow files.
expired will the account be disabled. This method does not provide complete protection of
8. Number of days from the Unix Time that the account is passwords. The easy accessibility and availability of the
disabled etc/shadow/ and the etc/passwd files makes it possible for
9. Unused/reserved field. attackers to obtain the hashes and crack passwords with the
use of various different algorithms. In this paper, we
An encoded password stored in /etc/shadow file: propose a solution to prevent hackers from gaining access to
the information in password storing files, hence protecting
1. The first field is a numerical number that indicates the passwords against some popular password cracking tools
hashing algorithm used. and attacks
$1 is for MD5 hashing algorithm.
$2 is when Blowfish Algorithm is in use. B. Password storing mechanisms in Windows
$2a is for eksblowfish Algorithm
$5 stands for SHA-256 Algorithm Windows uses following 2 mechanisms for password
$6 when SHA-512 Algorithm is used. storing:
2. The second field is the salt value. Salt value is nothing but
a random string of bits that is generated and combined a) Lan Manager (LM)
with the original password, in order to increase the
strength of the hash. The user’s password is converted into all uppercase
letters which has null characters added to it until it equals 14
3. The last field is the hash value of salt and the user 16-byte value, which is the completed LM hash [6-7]. One
password. major drawback is that this technique is used for backward
compatibility in newer versions of windows.

How users are authenticated: b) NT Lan Manager (NTLM)

The most commonly used authentication mechanism in
Linux is Pluggable Authentication Modules (PAM) [6]. This method uses MD4 to create NT hash which is
Services that require authentication are linked with the PAM comparatively difficult to crack and more resistant to the
libraries included with Linux. These libraries are configured brute force attack. The MD4 hash is what is stored in either
to use different databases and algorithms to tally passwords. the local Security Accounts Manager (SAM) database or the
When a service such as login requires to authenticate a user, Active Directory Database [6]. The password file is located
it calls PAM routines. These routines check the PAM in: C:\Windows\System32\config\sam where SAM file
configuration files and look for stack entries with a holds the usernames and password hashes for every account
matching service name. These entries are then processed, in on the local machine, or domain if it is a domain controller.
the order in which they are found. The It can be found on the hard drive in the folder
/lib/security/pam_pwdb module is invoked during this %systemroot%system32config.
process which interacts with the password database library The SAM file is further encrypted with the SysKey
(pwdb library or libpwdb in the /lib directory. A central (Windows 2000 and above) which is stored in
database is used for looking up information associated with %SystemRoot%\system32\config\system file. The hashes
groups and users. It is the source of passwords for from the SAM file are decrypted using the SysKey when the
pam_pwdb. A /etc/pwdb.conf configuration file is required OS is booted. They are loaded to the registry and used to
by the pwdb library. The first section of the file (succeeding authenticate the user.
the keyword “user:”) gives information about users. The The only account that can access the SAM file during
second section (group :) gives information about groups. operation is the "System" account for security of sensitive
Each list is linked to the databases containing the records for data. The final location of the SAM and corresponding
corresponding user/group. The pam_pwdb module is hashes are in the registry, under
invoked and it calls the pwdb library. The first entry HKEY_LOCAL_MACHINESAM. This is unavailable to all
matching the parameters passed by the pam_pwdb is found users as well as the admin user when the machine is
and the search is stopped at the first match. running.

249
 III. PASSWORD ATTACKS ANALYSIS Graph 1. Time taken to crack all passwords in password list. Tool
used was John the Ripper and password list used was default
Despite protecting passwords by encryption/hashing, they password list.
are still vulnerable to various attacks. In this section, we
present an introduction to two such common attacks as well
as an analysis of password cracking. 60

A. Brute Force Attack 50

In a Brute-Force Attack, the attacker inputs every
possible combination of letters, numbers and special 40

Time (Minutes)
characters as password until the correct one is accepted.
Various tools and algorithms are available for the same. In 30
theory, this attack should be able to crack any password since
all permutations are tried.
20
B. Dictionary Attack
A dictionary attack is another guessing attack which uses 10
a pre-compiled list of strings to crack the password. Hashes
of every entry in a password list are computed in the same 0
format as the password being examined. It is then compared 0 20 40 60 80 100
with the hash values in the password file corresponding to
the concerned user. If the hash is the same as that of the Percentage of Passwords Cracked
user, the password of that user is obtained [2-3].
Password Lists contain common passwords like
“password” or “abcdef”. Dictionary attack is prone to failure
if the password set by the user is not included as an entry in TABLE 1. TIME TAKEN TO CRACK PASSWORDS
the password list being checked.
Password Len Complexity Approach Time
-gth (secs)
Analysis hello 5 easy DA 29
We cracked the passwords of various users using John abcd1234 8 easy DA 40
the Ripper tool. This was done on Kali Linux OS (version Toronto2 8 medium BFA 2158
2.0). The processor used is Dell’s Intel i3 3217U with a sonk21 6 medium BFA 2984
clock speed of 1795.71 MHz x 18.00. The encryption jeav3u 6 medium BFA 4532
algorithm used is the SHA-512 algorithm. 19072 5 medium BFA 7757
ceaser0 7 medium DA 489
We calculated the time taken to crack string, alpha- Topgun? 7 medium DA 1006
numeric and numeric passwords of lengths varying from 5 - mcn195 6 hard BFA 3506
8 characters. John the Ripper, in default mode, first checks Average Time Taken 2496.66
the user password hashes against its own password list. If DA – Default Approach used by John the Ripper
that fails, it runs a brute force attack on the password. BFA – Brute Force Approach used by John the Ripper if Default Approach
Fails
An average of 64.18 candidate passwords per second were
tested, of which the number of successful guesses averaged
to 0.001034 g/s. The average crypts (password hash or cipher
computations) per second was calculated to be 319.1 crypts,
which was the same as the number of combinations of
candidate password and target hash per second (C/s). Given
Below is a graph depicting the percentage of passwords
cracked by John the Ripper over an hour period.
An average of 2496.66 seconds (approx. 41 minutes) was
taken to crack 9 passwords, of which 4 were cracked using
Dictionary Attack and remaining using Brute Force Attack.
Below are the graphical results of the analysis. Graph 1
represents the time takes to crack all passwords in the default
password list using John the Ripper tool. Table 1 gives the
time taken to crack certain passwords of different
complexities by either Default Approach or Brute Force Figure 1. Screenshot of cracked passwords on a Kali Linux OS
Approach.

250
 Inference stored discreetly in multimedia files already present on the
It is clear from the graph that the percentage of local machine (Higher Level), and the paths to these
passwords cracked is linear to the time taken to crack them. multimedia files be hidden in the /etc/shadow or the
The feasibility of the Brute Force Attack, however /etc/passwd files using text steganography [8](Lower Level).
depends on the time taken to crack a particular For the purpose of this paper, we consider concealing the
attack. Complexity of the algorithms used increases with the hashed passwords within images. The images are stored in
length of the passwords, making this method fast for short the form of pixels and each pixel is a bit combination of
passwords but unpredictably slow for long passwords. RGB values. If some of these values are altered, the
Another parameter affecting the time taken is the key-size resultant change in image is miniscule and not detectable to
used in encryption of the passwords: The number of possible the human eye [4-5]. Hence the pixel specification bits in
permutations increases with increasing key-size. The the image may be manipulated to hide messages. This
hardware used also affects the speed of the attack greatly, image is called the “cover image”.
since a faster GPU will be able to process more passwords
per second. Following demonstrates the use of one such tool (Invisible
There is a time-space trade off happening in the attack. Secrets 2.1) that selects the cover image and the data file to
The attack is considerably faster than the brute force attack be encrypted and as per the selected algorithm encrypts the
since we are checking only logically probable strings, rather supplied text to image
than trying every permutation. However, the password lists,
being stored on the machines/server, take up memory.
Though these attacks have certain drawbacks, they have a
high success rate against passwords, files storing the
password hashes are easily available.

IV. PREVAILING SOLUTIONS FOR PASSWORD ATTACKS

Multiple solutions have been proposed to prevent
unintended users from gaining access to passwords. We
discuss a few popular ones below

A. Using long and complex passwords

Using Long and complex passwords, such as a 15
character password with combinations of letters, numbers
and special characters [3]. Computers with windows version
XP and later have password complexity by default. A 15
character or more password will disable creation of LM
Hash, hence disabling the use of most password cracking
tools. Linux has multiple utilities such as pwgen and Figure 2. Invisible Secrets is used to implement Steganography
Automatic Password Generator that can be used by users
to generate various random passwords. Complex passwords
also generate complex hashes, hence increasing the time
required to crack them and reducing the efficiency of the
password cracking tool used.

B. Disable LM Hashes
Headings, Windows stores passwords in the form of two
hashes, LM hash and NT Hash. LM hash, being weaker than
NT Hash is more prone to brute-force attacks, Hence,
windows provides the option to disable the storing of LM
Hashes in the SAM files. This may be done by implementing
the No LMhash Policy or using a 15 character long password
as suggested in 4.1.

V. PROPOSED ARCHITECTURE
The practice of hiding secret messages in other non-
secret files is widely known as Steganography [4-5][8]. In
this paper, we propose to include 2 levels of steganography
to the already existent architecture: instead of storing the Figure 3. The file 2.jpg is stored in image new,jpg
hashes of passwords in the shadow/SAM file, they may be

251
 Proposed Algorithm for the same in Linux environment : 1. An attacker may be easily confused and prevented
I. The idea is to store the user account name and hashed from accessing actual passwords.
value of the password in images .However when 2. Time taken to find actual password hashes will
needed for authentication, the system points to the increase, hence increasing the security of the
/etc/shadow and /etc/passwd files. Thus, we need to passwords.
store the path of this image in these specified files 3. Protection from tools such as John the Ripper will be
itself.. provided since the data it collects from the /etc/shadow
II. Now that we plan to store the hashes in images, the and /etc/passwd files is incorrect
existing data in /etc/shadow and /etc/passwd files
becomes garbage value. However it is allowed to stay
there so as to conceal the fact of any other mechanism
being present for authorization. (Since these are just
text values, they do not create much space overhead.)
III. Password protected user/account ‘trial’ is created on
local machine.
IV. The password is hashed and stored in an image
selected at random. The image is further protected by
revoking write privileges from user. This image forms
the cover image “img.jpeg” for the user account
“trial”.
V. The username of the account “trial” and the path of its
cover image “img.jpeg” is hidden in the /etc/shadow
and /etc/passwd files using steganography tools.
VI. User enters username “trial” and password to login.
VII. PAM modules point to /etc/passwd. Instead of taking
values directly from this file, PAM module will be
reconfigured to unhide the text in this file and retrieve
the path of cover image “img.jpeg” corresponding to
username “trial”.
VIII. PAM then accesses the cover image and unhides it to
get the hashed password.
IX. The user entered password is processed with the same
algorithm to produce the same hash as the one Figure 5. Flowchart of Proposed Algorithm
extracted. The two hashes are compared. If they
match, user is given access.

Hence, we may reduce the vulnerability of passwords in the

given ways

Figure 6. Block Diagram of Proposed Architecture

252
 VI. CONCLUSION • Also only the person with the key to decrypt the
Using Long and complex passwords, such as a 15 image can read it. So for anyone else who
character password with combinations of letters, numbers unethically attains it, it is practically redundant.
and special characters [3]. Computers with windows version
XP and later have password complexity by default. A 15 • The space overhead with steganography
character or more password will disable creation of LM maybe a concern for users. Thus remedies to
Hash, hence disabling the use of most password cracking optimize this overhead (e.g. preferring lesser
tools. Linux has multiple utilities such as pwgen and greyscale value images over colorful ones) would
Automatic Password Generator that can be used by users to make this proposition much more practical and
generate various random passwords. Complex passwords feasible.
also generate complex hashes, hence increasing the time
required to crack them and reducing the efficiency of the REFERENCES
password cracking tool used. [1] T. Gautam,A. Jain,“Analysis of Brute Force Attack using TG –
Dataset” in SAI Intelligent Systems Conference, London, UK, Nov.
2015, pp. 984-988.
VII. FUTURE SCOPE [2] C. Yiannis, “Modern Password Cracking: A hands-on approach to
creating an optimised and versatile attack.”, Info. Security Grp., Univ.
Steganography and authentication using an image instead of London, Surrey, Tech. Rep. RHUL–MA–2013– 7, pp. 5-6 , May
of a password to raise the security of communication 2013.
protocols like FTP, telnet and SSH a notch higher. [3] S.K. Kulkarni, “A Survey of Password Attacks, Countermeasures and
• FTP used basically for file transfer rarely uses Comparative Analysis of Secure Authentication Methods”,
authentication and that too is transmitted as plain text. International Journal of Advance Research in Computer Science and
Management Studies, India , ISBN 232 7782 1(Online),Vol. 3, Issue
• Thus following vulnerabilities ; 11, Nov. 2015, pp 321-324.
o Spoofing attack, FTP bounce attack, Packet [4] G.Smitha,E. Baburaj,"A survey on image steganography based on
capture, Port stealing, Username enumeration Least Significant bit Matched Revisited (LSBMR) algorithm" in 2016
and Brute force attack. International Conference on Emerging Technological Trends
• Telnet protocol uses the Internet or local area (ICETT), 2016, pp. 1-6.
networks to provide bidirectional text-oriented [5] T Morkel, JHP Eloff and MS Olivier, "An Overview of Image
communication using a virtual terminal connection. Steganography," in Proceedings of the Fifth Annual Information
Security South Africa Conference (ISSA 2005), Sandton, South
• Following vulnerabilities have been identified here: Africa, June/July 2005 (Published electronically)
o By default telnet is does not encrypt any data [6] Y. Bassil,“Windows and Linux Operating Systems from a Security
over the network thus making it susceptible to Perspective”, Journal of Global Research in Computer Science,ISSN
eavesdropping. 2229-371X, Vol. 3, No. 2, Feb. 2012, pp. 17-24
o No mechanism to ensure that the [7] J.A. Chester, “Analysis of Password Cracking Methods &
communication is carried out between the Applications”,Honors Res. Project, Univ. of Akron, OH, pp 9-14,
desired hosts and is not intercepted by any 2015.
unwanted third party. [8] M. Agarwal, “Text Steganographic Approaches: A Comparison”,
International Journal of Network Security & Its Applications (IJNSA),
o Vulnerabilities in commonly used Telnet Vol.5, No.1, Jan. 2013, pp 91-106.
daemons.
• SSH uses public-key cryptography to provide
confidentiality and integrity over the communication
network by authenticating the remote system and
allowing it to authenticate users. However even this
protocol which uses public key cryptography

o The loophole is that the authentication does

perform any key transfer; instead just checks
that a person offering a public owns a
matching private key Thus if it will accept an
attacker's public key without validation an
unauthorized attacker can manage to be
validated as an authorized user.
• Thus for all above protocols we can make use of
images to authenticate the user which are password
encrypted securing it against spoofing,
eavesdropping, key logger attacks.

253