Prevent Hacking with Password-Cracking Countermeasures
Taking some general countermeasures can prevent hacking of your important passwords. A password for one system usually equals passwords for many other systems because many people use the same passwords on every system they use. For this reason, you might want to consider instructing users to create different passwords for different systems, especially on the systems that protect information that’s more sensitive.
The only downside to this is that users have to keep multiple passwords and, therefore, might be tempted to write them down, which can negate any benefits.
Storage of passwords
If you have to choose between weak passwords that your users can memorize and strong passwords that your users must write down, have readers write down passwords and store the information securely. Train users to store their written passwords in a secure place — not on keyboards or in easily cracked password-protected computer files. Users should store a written password in either of these locations:
A locked file cabinet or office safe
Full (whole) disk encryption which can prevent an intruder from ever accessing the OS and passwords stored on the system.
A secure password management tool such as
As an ethical hacker, you should show users the importance of securing their passwords. Here are some tips on how to do that:
Demonstrate how to create secure passwords. Refer to them as passphrases because people tend to take passwords literally and use only words, which can be less secure.
Show what can happen when weak passwords are used or passwords are shared.
Diligently build user awareness of social engineering attacks.
Enforce (or at least encourage the use of) a strong password-creation policy that includes the following criteria:
Use upper- and lowercase letters, special characters, and numbers. Never use only numbers. Such passwords can be cracked quickly.
Misspell words or create acronyms from a quote or a sentence. For example, ASCII is an acronym for American Standard Code for Information Interchange that can also be used as part of a password.
Use punctuation characters to separate words or acronyms.
Change passwords every 6 to 12 months or immediately if they’re suspected of being compromised. Anything more frequent introduces an inconvenience that serves only to create more vulnerabilities.
Use different passwords for each system. This is especially important for network infrastructure hosts, such as servers, firewalls, and routers. It’s okay to use similar passwords — just make them slightly different for each type of system, such as SummerInTheSouth-Win7 for Windows systems and Linux+SummerInTheSouth for Linux systems.
Use variable-length passwords. This trick can throw off attackers because they won’t know the required minimum or maximum length of passwords and must try all password length combinations.
Don’t use common slang words or words that are in a dictionary.
Don’t rely completely on similar-looking characters, such as 3 instead of E, 5 instead of S, or ! instead of 1. Password-cracking programs can check for this.
Don’t reuse the same password within at least four to five password changes.
Use password-protected screen savers. Unlocked screens are a great way for systems to be compromised even if their hard drives are encrypted.
Don’t share passwords. To each his or her own!
Avoid storing user passwords in an unsecured central location, such as an unprotected spreadsheet on a hard drive. This is an invitation for disaster. Use Password Safe or a similar program to store user passwords.
Here are some other password-hacking countermeasures:
Enable security auditing to help monitor and track password attacks.
Test your applications to make sure they aren’t storing passwords indefinitely in memory or writing them to disk. A good tool for this is WinHex.
Keep your systems patched. Passwords are reset or compromised during buffer overflows or other denial of service (DoS) conditions.
Know your user IDs. If an account has never been used, delete or disable the account until it’s needed. You can determine unused accounts by manual inspection or by using a tool such as DumpSec, a tool that can enumerate the Windows operating system and gather user IDs and other information.
As the security administrator in your organization, you can enable account lockout to prevent password-cracking attempts. Account lockout is the ability to lock user accounts for a certain time after a certain number of failed login attempts has occurred. Most operating systems have this capability.
Don’t set it too low, and don’t set it too high to give a malicious user a greater chance of breaking in. Somewhere between 5 and 50 might work for you. Consider the following when configuring account lockout on your systems:
To use account lockout to prevent any possibilities of a user DoS condition, require two different passwords, and don’t set a lockout time for the first one if that feature is available in your operating system.
If you permit autoreset of the account after a certain period — often referred to as intruder lockout — don’t set a short time period. Thirty minutes often works well.
A failed login counter can increase password security and minimize the overall effects of account lockout if the account experiences an automated attack. A login counter can force a password change after a number of failed attempts. If the number of failed login attempts is high and occurred over a short period, the account has likely experienced an automated password attack.
Other password-protection countermeasures include
Stronger authentication methods. Examples of these are challenge/response, smart cards, tokens, biometrics, or digital certificates.
Automated password reset. This functionality lets users manage most of their password problems without getting others involved. Otherwise, this support issue becomes expensive, especially for larger organizations.
Password-protect the system BIOS. This is especially important on servers and laptops that are susceptible to physical security threats and vulnerabilities.