Password cracking

Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system, typically, by repeatedly verifying guesses for the password. The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk), to gain unauthorized access to a system, or as a preventive measure by the system administrator to check for easily crackable passwords.

Prevention

The best method of preventing password cracking is to ensure that attackers cannot get access even to the encrypted password. For example, on the Unix operating system, encrypted passwords were originally stored in a publicly accessible file "/etc/passwd". On modern Unix (and similar) systems, on the other hand, they are stored in the file "/etc/shadow", which is accessible only to programs running with enhanced privileges (ie, 'system' privileges). This makes it harder for a malicious user to obtain the encrypted passwords in the first instance. Unfortunatley, many common network protocols transmit the hashed passwords to allow remote authentication.

Related Topics:
Unix - Operating system

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Even if the attacker has no access to the password database itself, every attacker should also be prevented from being able to use the system itself to check a large number of passwords in a relatively small amount of time. For this reason, many systems include a significant forced delay (a few seconds is generally sufficient) between the entry of the password and returning a result. Also, it is a good policy to (temporarily) lock out an account that has been subjected to 'too many' incorrect password guesses, although this could be exploited to launch a denial of service attack. Too many in this context is frequently taken to be something like more than 3 failed attempts in 90 seconds, or more than a dozen failed attempts in an hour.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

It is also imperative to choose good passwords (see password for more information) and a good encryption or hash algorithm that has stood the test of time. AES, SHA-1, and MD5 are excellent candidates. Good implementations, including adequate salt, are also required. Key derivation functions, such as PBKDF2, are hashes that consume relatively large amounts of computer time so as to slow down the rate at which an attacker can test guesses, even if the hashed password is available.

Related Topics:
Password - AES - SHA-1 - MD5 - Key derivation function - PBKDF2

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

However, no amount of effort put into preventing password cracking can be sufficient without a well-designed and well-implemented security policy. The canonical, appalling, and all too common example of this is the user who leaves their password on a Post-It note stuck to their monitor or under their keyboard. Even sophisticated users who have been warned repeatedly are known to have such lapses.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~