One of the most common questions that I am frequently asked by security newbies is how to go about cracking a password. Although I certainly don't condone illegal security breaches, I have always believed that the only way to really implement effective security is to understand how the hackers exploit security weaknesses. Therefore, in this tip, I will discuss some of the techniques used to crack passwords.
Types of password crackers
When you set out to crack a password, the first question you have to ask yourself is what kind of password is being cracked. You will need a cracking utility, and most utilities are program specific. For example, you would need a different type of utility to crack a Microsoft Office document's password than you would to crack a Windows domain controller password. The password cracking utility is irrelevant to the discussion, though, because such utilities are so easy to come by. Just search the Internet for password crackers and you will find any kind of cracker you need.
Password crackers typically come in two flavors: dictionary based and brute force.
A dictionary-based password cracker contains a database filled with words from the dictionary, common names and often catch phrases from popular movies. You have probably heard people say that in order to have a secure password, you need to mix random numbers, letters and symbols. Doing so makes the password immune to dictionary-based cracks because random character strings would not be in the cracking utility's dictionary.
A brute-force cracker would be used to crack passwords consisting of random character strings. Brute force works by trying every possible combination of numbers, letters and symbols until the password is revealed.
Password-cracking defenses
There are several defenses against brute-force and dictionary-based attacks. One defense against a brute-force attack is to enforce a password policy that requires users ...
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
to change passwords frequently -- a good option because brute-force attacks take a long time to complete. Depending on the length of the password (longer passwords take longer to crack), the speed of the cracker's machine and the speed of the network connection, a brute-force crack can take weeks to complete. If your users change passwords frequently, then there is a good chance the password will be changed before a crack is completed.
Another common defense is to lock out an account after a few invalid login attempts. Account lockouts prevent many forms of both brute-force and dictionary-based cracks, but keep in mind that account lockouts will not prevent all password cracks. If a cracker can get a hash of the Windows registry or Active Directory, then they can perform either type of crack without having to worry about account lockouts. They can simply run the cracking utility on their own computer against the hash on their own time, without fear of lockouts or being discovered.
The number one way to prevent someone from getting a hash is to deny physical access to the server. There are perfectly legitimate system recovery or administrative utilities that can be used to reset passwords. Anyone with physical access to a server and minimal computer experience could use such a tool to reset the administrative password to a password of their choice in a matter of minutes, if they can gain physical access to the server. Servers should always be kept behind a locked door.
As you can see, cracking a password is not a mysterious black art. Anyone can download a password cracking utility off of the Internet and crack a password. The trick isn't cracking a password, but rather implementing tight enough security on your own network to prevent someone from cracking your password. If you find yourself wondering if your password security is strong enough, why not download a few crackers and try to crack your own passwords before someone else does? That's the only way to know for sure how strong your password policy really is.
About the author: Brien M. Posey is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
Reader Feedback
John W. writes:
In this tip, the author states, "Depending on the length of the password (longer passwords take longer to crack), the speed of the cracker's machine and the speed of the network connection, a brute-force crack can take weeks to complete." Actually, there is a password cracking product, Rainbow Crack, that will brute force crack long and very complex passwords in a matter of a few minutes, using a normal PC. It can crack Windows, MD5 and sha1 passwords and can be configured for other hash algorithms. This is all to say that passwords are no longer a strong form of authentication.
For More Information
Use this checklist to harden user passwords
Get steps for strengthening password-based authentication systems
Get your network hacked in 10 easy steps
