Types of High-Tech Password Cracking
High-tech password cracking is a type of hacking that involves using programs that guess a password by determining all possible password combinations. The main password-cracking methods are dictionary attacks, brute-force attacks, and rainbow attacks.
Dictionary attacks quickly compare a set of known dictionary-type words — including many common passwords — against a password database. This database is a text file with hundreds if not thousands of dictionary words typically listed in alphabetical order.
For instance, suppose that you have a dictionary file that you downloaded from one of the sites in the following list. The English dictionary file at the Purdue site contains one word per line starting with 10th, 1st . . . all the way to zygote.
Many password-cracking utilities can use a separate dictionary that you create or download from the Internet. Here are some popular sites that house dictionary files and other miscellaneous word lists:
Don’t forget to use other language files as well, such as Spanish and Klingon.
Dictionary attacks are only as good as the dictionary files you supply to your password-cracking program. You can easily spend days, even weeks, trying to crack passwords with a dictionary attack. If you don’t set a time limit or similar expectation going in, you’ll likely find that dictionary cracking is often a mere exercise in futility. Most dictionary attacks are good for weak (easily guessed) passwords.
However, some special dictionaries have common misspellings or alternative spellings of words, such as pa$$w0rd (password) and 5ecur1ty (security). Additionally, special dictionaries can contain non-English words and thematic words from religions, politics, or Star Trek.
Brute-force attacks can crack practically any password, given sufficient time. Brute-force attacks try every combination of numbers, letters, and special characters until the password is discovered. Many password-cracking utilities let you specify such testing criteria as the character sets, password length to try, and known characters (for a “mask” attack).
A brute-force test can take quite a while, depending on the number of accounts, their associated password complexities, and the speed of the computer that’s running the cracking software. As powerful as brute-force testing can be, it literally can take forever to exhaust all possible password combinations, which in reality is not practical in every situation.
Smart hackers attempt logins slowly or at random times so the failed attempts aren’t as obvious in the system log files. Some malicious users might even call the IT help desk to attempt a reset of the account they just locked out. This social engineering technique could be a major issue, especially if the organization has no mechanisms in place to verify that users are who they say they are.
Can an expiring password deter a hacker’s attack and render password-cracking software useless? Yes. After the password is changed, the cracking must start again if the hacker wants to test all the possible combinations.
This is one reason why it’s a good idea to change passwords periodically. Shortening the change interval can reduce the risk of passwords being cracked but can also be politically unfavorable in your business. You have to strike a balance between security and convenience/usability. Refer to the United States Department of Defense’s Password Management Guideline document for more information on this topic.
Exhaustive password-cracking attempts usually aren’t necessary. Most passwords are fairly weak. Even minimum password requirements, such as a password length, can help you in your testing. You might be able to discover security policy information by using other tools or via your web browser. If you find this password policy information, you can configure your cracking programs with more well-defined cracking parameters, which often generate faster results.
A rainbow password attack uses rainbow cracking to crack various password hashes for LM, NTLM, Cisco PIX, and MD5 much more quickly and with extremely high success rates (near 100 percent). Password-cracking speed is increased in a rainbow attack because the hashes are precalculated and thus don’t have to be generated individually on the fly as they are with dictionary and brute-force cracking methods.
Unlike dictionary and brute-force attacks, rainbow attacks cannot be used to crack password hashes of unlimited length. The current maximum length for Microsoft LM hashes is 14 characters, and the maximum is up to 16 characters (dictionary-based) for Windows Vista and 7 hashes. The rainbow tables are available for purchase and download via the ophcrack site.
There’s a length limitation because it takes significant time to generate these rainbow tables. Given enough time, a sufficient number of tables will be created. Of course, by then, computers and applications likely have different authentication mechanisms and hashing standards — including a new set of vulnerabilities — to contend with. Job security for ethical hacking never ceases to grow.
If you have a good set of rainbow tables, such as those offered via the ophcrack site and Project RainbowCrack, you can crack passwords in seconds, minutes, or hours versus the days, weeks, or even years required by dictionary and brute-force methods.