Password Cracking
Password cracking is the process of obtaining a password using data that has been stored in or transmitted by a computer. While there are several legal reasons behind password cracking, such as a user attempting to recover their own password, or a systems administrating testing for easily crackable passwords, the most well known use of password cracking is used in order to gain access to unauthorised data or a machine. It is also worth noting that password cracking can be used to gain access to digital evidence for which a judge has allowed access, but the particular file's access is restricted. The most common method of cracking passwords is through repeatedly guessing the password.
While password cracking can involve the use of software in order to obtain a password, such using a list of common passwords for a dictionary attack, or checking every possible combination for a brute force attack, it can also as simple as finding sticky note with the password written on it stuck right to the monitor or hidden under a keyboard.
Cracking Techniques:
- A brute force attack is an attempt to gain access to a computer by using every possible combination of characters as a password. While this is able to theoretcally crack any password, the time it takes can make it very impractical to use. As the length of the password grows, the number of possible combinations for the password increases quickly. This can be shown in passwords of length 4 being cracked almost instantly, but passwords with length of 10 or higher can take thousands of years. While different machines will take different lengths of time for each one, the sheer number of possible combinations still makes even the fastest machines struggle with long length passwords.
Length of the password Character set (l=letters, n=digits) lowercase l lowercase l & n Both lowercase & uppercase l all printable ASCII characters < = 4 instant 2 min 5 instant 2 min 12 min 4 hours 6 10 min 72 min 10 hours 18 days 7 4 hours 43 hours 23 days 4 years 8 4 days 65 days 3 years 463 years 9 4 months 6 years 178 years 44530 years [Source: Last Bit]
- A dictionary attack is a variation of brute forcing, in that the attacker has no way of knowing what the password is in advance, and so must systematically try various passwords. In a dictionary attack however, a list of words from a set list is used, rather than trying every possible combination of character, number, and punctuation, as you would in a brute force attack. The attacker chooses the list based on what they know about the target system, as many users tend to use passwords that are somehow relevant to themselves. This may involve using a list of characters from the targets favourite book, cities throughout the world, and even the dictionary (hence the name of this method). While the dictionary attack is faster than a brute force attack, it is less thorough, and so has a lower chance of working. It will almost certainly not work if the user has a password chosen by a random password generator including numbers and punctuation.
- The hybrid dictionary attack is a variation of the dictionary attack. It uses a set list, chosen by the attacker, but includes numbers throughout the password, and often replaces well known number substitute for letters, such as replacing 'a' with '4', or 'o' with '0'. This significantly increases the chance of the attacker attaining the password, however, the trade off is time. The inclusion of numbers increases the number of combinations to be tried by the attacking computer. The chance of attaining the password is much higher than a normal dictionary attack, but still not certain, unlike the brute force attack. The time taken is longer than a normal dictionary attack, but the hybrid dictionary attack is still significantly faster than a brute force attack. Like the normal dictionary attack, the hybrid one is still unlikely to attain a password chosen from a random password generator.
- Reset the Password: Whilst the above methods may help an attacker attain a password to unauthorised data, if the password proves too difficult to attain, it may be possible for the attacker to get access to the data without using it. This can include using methods that a normal user might go through to recover a lost password, such as guessing a secret answer to a secret question, or the users date of birth. While the password may contain random letters, numbers, and punctuation, many users don't bother to add them to their secret answer. As such, it may be possible for an attacker to reset the users password to something the attacker knows, and gaining access to the data while locking the original user out.
Guide to Choosing a Good Password:
Generally, a strong (that is, difficult for a password cracker to get) password will follow as many as possible of the following rules:
- - A minimum length of 11 characters.
- - Generating passwords randomly when possible.
- - Including letters, numbers, and punctuation in a password.
- - If the password is case-sensitive, use different cases for the letters.
- - Avoid sequences of repeated characters or letters.
- - Avoid sequences of ascending or descending numbers or letters.
- - Avoid using personal information, such as your birthday in the password.
Known Cases of Password Cracking:
- CERT Incident (1998) - In 1998, a large number of accounts and encrypted passwords were taken, and by the time they were discovered, the hacker had already cracked over 47 000 passwords. [Source: CERT]
- NATO Incident (2011) - In June 2011, two well known hacker groups, LulzSec and Annonymous, gained access to around 1 gigabyte of unauthorised data from NATO. They proceeded to release some of those files on the internet, but they were quickly taken down. [Source: Yahoo!]
Quiz
[http://en.wikipedia.org/wiki/Password_cracking/]
[http://www.ibm.com/developerworks/library/s-crack/]
[http://lastbit.com/password-recovery-methods.asp#Fake Password Creation]
[http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords]
[http://www.microsoft.com/security/online-privacy/passwords-create.aspx]