One of the most fun aspects of my job is having to coerce people into changing their passwords - my manager is not the sort of person who likes to force people to do anything, so we have to achieve compliance by other means…
Anyway…
In reading about password security, I came across an article on Microsoft’s site which I sent around to people as an “encouragement”, which contained the following sentance:
Can anyone tell me why this should be the case? Or give me more detail at least…
Thanks dylan - so, if I am understanding it correctly, the fact that it is stored in two chucks, one of 7 char and the other of the rest, means that one chunk is shorter and therefore easier to crack, and once cracked, may give a clue to the first chunk, if the user has used some sort of logic/pattern to their password.
Well, firstly, the way it’s broken up gives you clues to its length. So you don’t have to spend time checking all the smaller ones (in a brute force). It also gives you a couple of bytes (for reasons explained in the L0phtcrack article) so that cuts things down significantly. They were slamming it even without being smart about it. Obviously you could use extracts you were given to give you clues to the whole.
Basically the problem is that it allows you to work on chunks at a time. Password encryption (in fact all encryption) should be “all or nothing”. You shouldn’t be able to work your way closer. I’m no expert on this, but MS surely must have fixed this by now because it’s really a braindead way of doing things.
Regardless of what your password length is, if a hacker/cracker can either repeatedly attempt to guess your password abroad without the system denying it or get ahold of your crypted password, a dictionary attack is quite effective. This attack literally goes through a dictionary front to back and tries every single word. Other more successful variations have lists of thousands of first names and last names, it will try those in conjunction with words and numbers. This may sound like a lot of passwords to guess, but it is a fraction of what it would take in a brute force attack. According to Applied Cryptography, Daniel Klein was able to guess 40 percent of all users passwords on an average network with a dictionary attack. (You may think that your network would notice such repeated attempts to login. However, intelligent hackers attempt to receive the crypted password in its original format and launch the attack offline.)
In terms of a brute force attack, a seven digit alpha-numeric password would take 2651730845859653471779023381601 tries to guess all possible combinations. Of course, the security of your password greatly depends on the actual algorithm you’re using. Most hackers are likely to take advantages of an algorithm’s “vulnerabilities” (they aren’t really vulnerabilities, although there are different quirks for each algorithm. To crack RSA, it is a matter of factoring. In this case, there’s no need to try any number greater than X where XX=key (since you don’t know the key you can at least assume key/3=x, thus reducing your work by 3). Furthermore, you would never need to try any number that is even or that can be divided by 5. IOW, only try prime numbers) to get the password.
If you’re working with sensitive data, you better be sure you have a strong password and algorithm.
*There may be better ways to attack RSA, I was just giving a simple example.
Well, dictionary attacks are only useful if your password is in the dictionary. The huge advantage is that they’re extremely fast (you get the answer straight away).
You get the hash, and basically test words against it. Last time I tried a cracking program it did:
Straight try of dictionary words
Dictionary words backwords
Dictionary words with $ as S, 0 as o and that kind of thing
Brute force
On a P3 866 it took 2 hours to crack a 6 character alphanumeric password. Since you have 36 characters to try, it would take 36 times as long for a 7 char password. I didn’t put punctuation in as I couldn’t be bothered waiting to see how long it would take. This was without the program given any clues to password length. It started with one and carried on.
bhb: You wouldn’t just try primes. It would take more processing to establish that the number was a prime than it would take to just try all odd.
The huge advantage is that they’re extremely fast (you get the answer straight away).