Not all passwords are created equal
Password protection is the most common method of identity verification used by Windows op-erating systems. Though many other methods exist on the market, for example, smart-cards or biometry, the majority of work stations continue using the “login-password” combination.
Some companies require that their user passwords meet basic requirements. This is called “Password policy” (policy of managing passwords), and is a part of general security policy. Password policy is used to determine basic parameters, such as length, structure and validity period for user passwords.
But, as a general rule, most organizations do not have an elaborate password policy and it is not well enforced, allowing users to ignore it. Thus, the complexity of passwords may vary considerably.
Many companies have been strongly influenced by regulating legislative acts like, Sarbanes-Oxley (USA), HIPAA (USA), J-SOX (Japan), LSF (France), to impose certain rules for creating passwords. These rules pertain to such things as password length or password structure. De-spite these measures, it doesn’t mean that passwords are really safe and will survive an attack.
The majority of popular passwords are nothing but words, derived from the mother tongue of a user. Sometimes words, used as passwords, can be found in a user’s daily life: birth year, pet name, phone number, credit card number etc. Possessing such information acts in an intruder’s favor making the victim a sitting duck.
Changing a password doesn’t really improve the situation. A new password can be a slightly modified previous password or is created by the same principle (for example, John1 becomes Mary2). This is the way most users solve the problem of regular password-changing, prescribed by security policy.
Moreover, having intruded a victim’s computer once, an experienced intruder may become its invisible master for a long period of time with the help of spyware, remote access utilities and other means.
How to find a weak password?
There are currently several basic methods of finding passwords with the help of software:
1. Brute force attack
2. Mask attack
3. Dictionary search
4. Rainbow table attack
Let’s review some of these methods in detail, because it’s crucial for understanding the characteristics of a weak password.
Brute force attack
Brute force attack is simple: in search for a password a program tries every possible combination of symbols. The search may be restricted to a certain length, symbol type (letters, digits or other) or symbols, which should be first to be tried.
Time needed for extracting a password with brute force depends on password length, set of symbols, performance of a PC and on password protected file type.
Of course, a correct password may be found quickly and a program won’t have to try all the possible combinations. But trying a password can take years, if run on an average PC, right? Let’s see.
Password speed search for Windows logon is 10 million combinations per second. LM-hash maximum password length is 7 symbols (password length is limited to 14 and password is split in two) with no regard to lowercase and uppercase letters. If a password contains 7 symbols, then brute force attack will succeed in 2 hours.
NTML-hash requires more time – about 4 days – to find a 7 symbol password, because lower case letters are used. If a password contains 8 symbols, then it’s “hacking” will require about 8 months. Attacking more complex passwords, such as those which also include punctuation symbols, by brute force takes years.
Password length is an appropriate protection from brute force attack.
Mask attack
If you possess some information about a password, for example, you know its length or some of the symbols, then you may try to recover a password with the help of mask attack by limiting the search range.
For example, if you know that a password starts with a name “john” or ends with a date “1977”, you may use search templates – “john???” and “????1977”. Unknown symbols, known as ‘wild-cards’, are designated with question marks in the pattern.
Mask attack makes sense because a program has to try fewer combinations, allowing a pass-word to be found in less time. To protect yourself from intrusion, avoid using words and combi-nations which can be easily derived from other sources.
