Hi,

I was wondering if anyone knows how a computer password is cracked, why cant they have full proof encryption. I dont know a lot about this.

My understanding was that password cracks are "brute force" where a program guesses until the correct password is reached. But this doesnt make sense because a password longer then about 10 characters would take years to crack just by guessing. So how is it done?

Thanks

This is one way it can be sped up: http://en.wikipedia.org/wiki/Rainbow_table

Use this knowledge for good, not evil.

Hi,

I was wondering if anyone knows how a computer password is cracked, why cant they have full proof encryption. I dont know a lot about this.

My understanding was that password cracks are "brute force" where a program guesses until the correct password is reached. But this doesnt make sense because a password longer then about 10 characters would take years to crack just by guessing. So how is it done?

Thanks


Most people use passwords much shorter than 10 characters, which makes things easier for crackers. Many people use real words as part of their passwords, so crackers often write password cracking programs which combine real words with letters and numbers to increase their chances.

In addition to the above methods, sometimes the algorithm used to encode a password is flawed and things can be decoded.

In addition to the above methods, sometimes the algorithm used to encode a password is flawed and things can be decoded.

For example in NTLM (The type of authentication Microsoft used to use) longer passwords could be cracked in parts. Crack the first 8 characters, then work on the ones after. NTLM is turned off bt default not, but you still need to turn it back on if there are old Windows 98, Windows ME machines connecting.

In addition, there are plenty of easy ways to get passwrods. The most common are social engineering where you convince people to send you their password, and keystroke loggers installed in trojens that record what you type in and send to someone. These can get on your computer via "free" software you download, or in some cases simply clicking "close" on a pop-up.

I don't know much about this myself but I do remember the old Excel worksheet protection passwords were encrypted in such a way that there were far less encrypted versions than there were actual passwords (i.e. many different words encrypted to the same string) which massively narrows down the brute force search.

In addition to what others have said, if you don't care about getting a specific person's password you can just grab the low-hanging fruit provided by people with dumb passwords.

Try a few million usernames and you'll probably find someone whose password is "letmein" or "password".

WEP encryption is notoriously flawed. 128 bit password takes 60 seconds.

One ex member here had the bright idea of saying that if you type your password for the forum in a thread it would be **** out. I think he was hoping to get people to type their password, then he could use their user name. For that he was justly banned.

Hi,

I was wondering if anyone knows how a computer password is cracked, why cant they have full proof encryption. I dont know a lot about this.

My understanding was that password cracks are "brute force" where a program guesses until the correct password is reached. But this doesnt make sense because a password longer then about 10 characters would take years to crack just by guessing. So how is it done?

Thanks

If you have physical access you really don't need to bruteforce. You can usually just use a boot disk and then change the password file(ie, reset or clear the password).

You can do that on most operating systems.

Other times you can just circumvent a password, ie jump to code that is executed after password validation.

WEP encryption is notoriously flawed. 128 bit password takes 60 seconds.

Yup, it was an encryption scheme designed by non-cryptographers. It makes some other fundamental mistakes.

If you have physical access you really don't need to bruteforce. You can usually just use a boot disk and then change the password file(ie, reset or clear the password).

Correct. An author friend of mine asked me about password hacking, and that's what I told her (in the plot they had physical access -- game over).

My work just implemented complex passwords. Super secure except that nobody can remember them unless they write them down, or use some a pattern of keys. Net result.... pissed off users and greatly degraded security.

I hate passwords. About the only good thing about them is that most of the alternatives are even worse.

We've got finger print sensors on the door of our machine room. They don't work so good if you're in a rush or stressed.

We've got finger print sensors on the door of our machine room. They don't work so good if you're in a rush or stressed.

Or have MythBusters in the area http://www.metacafe.com/watch/250607/mythbusters_high_tech_security_system/

A long time ago when the internet was starting to become popular in the mainstream, I just observed chat rooms and forums, got their birthdate, zip code, and would sometimes prompt answers to security questions like "What was your first dog?"

There's lots of morons who will say something like "96814 reprezent" and willingly give out personal information to make it easy to get into Email.

Once Email is accessed, it's easy to get passwords sent to that Email account from all sorts of places.

I did this as curiousity and didn't tamper with their profiles or send Emails to their contact list.


So even if you're not some computer expert, there are lots of idiots out there to take advantage of with a few tricks. Sort of like how woo cons people.

But this topic is interesting cause I never understood how people hack aside from brute force programs. The Rainbow Table link is cool. :)

But this topic is interesting cause I never understood how people hack aside from brute force programs. The Rainbow Table link is cool. :)

Ok, here's another story of password retrieval. It required an account on the target machine, so you could use it for privilege escalation. The authentication routine would reject the password at the first wrong character it reached. Of course this didn't happen at the keyboard level, but at the internal level of the authentication routine scanning the string passed to it. However, if you arranged for the password to straddle a page boundary, and arranged for the second page to be paged out, you could, through timing, guess how far along the password the checker had got. Of course there's some randomness here, and arranging for a just written-to page to be probably paged out is tricky. But it did work, and it did cause a software update to make the scanner scan the whole password regardless. Hm, not sure why you'd simply do this where the next page wasn't available and catch a segmentation fault. I think it was VMS and I'm not very familiar with its internals.

There is also just good old detective work, many people use very plain passwords that can be obtained with a little guess work, child names, years of birth silly things like that. Then someone can find this information and just try it.
And since many people use the same password on multiple systems, bingo.

I hate passwords. About the only good thing about them is that most of the alternatives are even worse.

Try OTP tokens. Push butan, receive password.

Ok, here's another story of password retrieval. It required an account on the target machine, so you could use it for privilege escalation. The authentication routine would reject the password at the first wrong character it reached. Of course this didn't happen at the keyboard level, but at the internal level of the authentication routine scanning the string passed to it. However, if you arranged for the password to straddle a page boundary, and arranged for the second page to be paged out, you could, through timing, guess how far along the password the checker had got. Of course there's some randomness here, and arranging for a just written-to page to be probably paged out is tricky. But it did work, and it did cause a software update to make the scanner scan the whole password regardless. Hm, not sure why you'd simply do this where the next page wasn't available and catch a segmentation fault. I think it was VMS and I'm not very familiar with its internals.

No, it could not have been VMS. That's never been the way VMS checks passwords.

And, yes, I am very familiar with VMS internals - that's my job, and has been for the last 27 years.

There's the classic Sarah Palin email hack of course. A public figure using publicly known information as the answer to their "secret question".

Easiest way:

Ask the person for their password. My organization has something like 80,000 active users at any given time. Many, many times per month (as in, millions of times per month) we get hit with phishing spam asking people to email their passwords; for every 10,000 or so that make it through the filters into people's email, maybe 2 or 3 people dutifully - and stupidly - supply their email password to the spammers. We know this because typically within 24 hours the account is being used to send spam through our mail servers, which gets detected automatically & stopped.

Less easy way:

Get a keylogger installed on the client machine and wait for them to type the password in to some website, application, what have you, retrieve the logs, find the passwords & use them. This is the method most often used by people looking for passwords to online games such as World of Warcraft or to online banking sites. This can be thwarted with a 2-tier authentication system like passwords & tokens, provided the keylogger isn't reading the input in realtime (some can.)

Less easy still:

Bombard the server/website/whatever with authentication attempts using either a list of likely account names or a known account name, and a series of passwords based on dictionary words (hence the name "dictionary attack.") A properly secured system isn't terribly vulnerable to this method since it will block addresses and/or lock accounts after some number of failed login attempts, but improperly secured systems abound.

Other methods exist, including the rainbow table lookup referenced earlier, but are even less easy that what I'd consider to be the big three above.

Hi,

I was wondering if anyone knows how a computer password is cracked, why cant they have full proof encryption. I dont know a lot about this.

My understanding was that password cracks are "brute force" where a program guesses until the correct password is reached. But this doesnt make sense because a password longer then about 10 characters would take years to crack just by guessing. So how is it done?

Thanks
I read once where a mans computer was confiscated because the police suspected he had child porn on it. Apparently the portion of his computer with the alledged porn was protected by a very well executed password. He refused to give them the password using the fifth amendment. I don't know how this turned out. The police said they were going to get help cracking the password but like I said I have no idea how this turned out.

Read in a book where a hacker stole the encrypted password list. System Admin thought the hacker was "teh dumz", but figured out that the hacker either stole or had access to the encryption process. (Can't remember if the program was well documented or free or source code available or what, but I think there was a exploitable flaw in it). System Admin then realized hacker was going to password-encrypt a dictionary and then compare the password file with the dictionary file to see if anyone is using standard words.

Just a note:
There is a difference between passwords that are encrypted via a two-way algorithm and a password that goes through a one way hashing algorithm such as MD5 or SHA.
For example, the hash of the string "foo" is "acbd18db4cc2f85cedef654fccc4a4d8"
Attempting to get foo from that string, without using a dictionary, would take a lot more computer power than a password that has been encrypted using a two-way algorithm.
An easy way to avoid a brute force attack that uses a lookup table, is to salt the password:
$salt="foo";
$hash_to_be_stored_in_db m = MD5($password . $salt)

The only time I've ever had a computer account 'broken in' to....

This was back in high school, early 1980s. For most of my educational career, we had been using Commodore PET computers, using tape drives and Commodore BASIC.

In my second last year in high school, we had gotten a new set of ICON computers. These were Unix workstations, networked to a common server. Our teachers at the time weren't used to dealing with this type of technology. Still, they had set up accounts for us, and asked us to create a password, and tell them what it was. (I guess they didn't understand what the 'root' account was at the time...)

In our first programming assignment on the new computers, we had to write a simple program in C. (Our teachers at the time didn't know the language, so there was a lot of stumbling and guess-work.) After a lot of trial and error, I got my program working.

Next day, I went to log in, and found out that all of my source code was gone. Instead, the file consisted of just my password, in the middle of the screen. Initially, I thought it was some sort of technical glitch.

Later, one of the other students jokenly commented to me about how he broke in to my account and erased my source code. How did he break in? The teacher had left the list of passwords out on his desk....

The moral of the story? The weakest part of any security system is likely going to be the meatware (i.e. the humans).

Some basic rules for breaking passwords using brute force:
- Use every word in the dictionary
- Use every word in the dictionary with the first letter capitalized
- Use every word in the dictionary with a '1' at the end
- Use every word in the dictionary with the letters reversed

I don't know much about this myself but I do remember the old Excel worksheet protection passwords were encrypted in such a way that there were far less encrypted versions than there were actual passwords (i.e. many different words encrypted to the same string) which massively narrows down the brute force search.

'crypt'

the process converts a password into a number value, which is stored; different passwords will convert to the same number value, which means that there can be more than one password that will be accepted as a match;

Those interested in this subject should be sure to read The Cuckoo's Egg by Clifford Stoll. It's an epic tale of how he traced and caught a German hacking group plundering American military and university computers and selling secrets to the Russians.

Those interested in this subject should be sure to read The Cuckoo's Egg by Clifford Stoll. It's an epic tale of how he traced and caught a German hacking group plundering American military and university computers and selling secrets to the Russians.

Indeed, an interesting period of my history. I feature in the book :o

I was the whistle-blower.

Those interested in this subject should be sure to read The Cuckoo's Egg by Clifford Stoll. It's an epic tale of how he traced and caught a German hacking group plundering American military and university computers and selling secrets to the Russians.

For anyone who's too lazy to read (or doesn't know how), the Cuckoo's egg was later used as the basis of a NOVA program. I have a very old video tape copy of it (although you may be able to find copies availabe for download...)

Those interested in this subject should be sure to read The Cuckoo's Egg by Clifford Stoll. It's an epic tale of how he traced and caught a German hacking group plundering American military and university computers and selling secrets to the Russians.

Seconded. This includes someone copying the password file for a dictionary attack.
It was the first episode of the TV show "Science Fiction" - dramatized accounts of real world science often with the real guy playing himself. As Cliff did.

And since many people use the same password on multiple systems, bingo.

I used to run a web-coupon distribution website and a mailing list for a software tool. Both required passwords for users. In both cases we stored passwords in encrypted format, as should be done. We could have, if we were dishonest, kept unencrypted versions of them and checked to see if they worked for the same usernames at yahoo mail, gmail, bank websites, etc. So the lesson is, don't use the same password for multiple sites.

Beware of any website that sends you your password if you forget it. That means they are storing the unencrypted version, and if someone breaks into their system or an employee gets ambitious, they could get them all. If they generate and send you a new password when you forget yours, then they are probably storing them in encrypted form.

Indeed, an interesting period of my history. I feature in the book :o

I was the whistle-blower.

Really? Do elaborate.

My work just implemented complex passwords. Super secure except that nobody can remember them unless they write them down, or use some a pattern of keys. Net result.... pissed off users and greatly degraded security.

Educate them on ways to come up with strong passwords that they can easily remember-

http://www.microsoft.com/protect/fraud/passwords/create.aspx

Other times you can just circumvent a password, ie jump to code that is executed after password validation.

It sounds like you would need the source code to do this?

http://xkcd.com/538/

It sounds like you would need the source code to do this?
No. You would have to have the authority to write to the binary, either on disk or in memory.

It sounds like you would need the source code to do this?

Nope. It's done by modifying the executable.

One ex member here had the bright idea of saying that if you type your password for the forum in a thread it would be **** out. I think he was hoping to get people to type their password, then he could use their user name. For that he was justly banned.

Sounds like he was just referencing this old IRC prank:
http://www.bash.org/?244321

Try a few million usernames and you'll probably find someone whose password is "letmein" or "password".

There was one system I used where over 5% of the several hundred users had their passwords equal to their usernames.

.

Educate them on ways to come up with strong passwords that they can easily remember-

http://www.microsoft.com/protect/fraud/passwords/create.aspx

That method may work for one password, however it is useless to remember heaps of passwords. I once tried to count the number of passwords I need, however I ran out of fingers and I did not want to take my shoes off.


Edit. Just gave this thread two tags. They show mostly old threads, but some could be a good read.

If you have physical access you really don't need to bruteforce. You can usually just use a boot disk and then change the password file(ie, reset or clear the password).

You can do that on most operating systems.


There was a simple way to get into a computer protected with a BIOS password. You just open open up the computer and disconnect the BIOS battery for a few seconds, so it forgets it ever had a password.

Not very useful... most users don't even know how to get into BIOS, let alone how to set the password.

(I'm not even sure if computers still use a battery for BIOS either. It's been a few years since I've messed around inside of one.)

I don't know much about this myself but I do remember the old Excel worksheet protection passwords were encrypted in such a way that there were far less encrypted versions than there were actual passwords (i.e. many different words encrypted to the same string) which massively narrows down the brute force search.
Yes you can break an Excel worksheet protection password with a macro in the same workbook! It takes about 5 to 10 mins (in my experience).

Another nasty attack is to replace a system service with a bat file that will created an administrator account, then get the service to run. You used to be able to do this with the screen saver under windows XP! :)

If you have physical access you really don't need to bruteforce. You can usually just use a boot disk and then change the password file(ie, reset or clear the password).

You can do that on most operating systems.

Indeed. My daughter locked the only admin account on her new, Vista based laptop - reckons she tried to change the password, changed her mind halfway through then instead of cancelling, used the back button to 'undo' it. Password actually seemed to be corrupt - no combination of old or what she'd tried to change it to worked. Other accts on the laptop didn't give you rights to create or amend an admin account so she was effectively locked out of it.

I created a Linux boot disk, booted from that, accessed the Windows registry and edited out the password - effectively re-setting it so there wasn't one. Worked a treat.

Our work PCs have whole disk encryption so if they're stolen, even transferring the disk to a second machine as a slave disk will not allow access to the contents.

Really? Do elaborate.

Start with this posting on news://comp.risks (http://catless.ncl.ac.uk/Risks/5.64.html#subj1) (though the "European Microbiology Lab" mentioned should be the "European Molecular Biology Laboratory (http://www.embl.de)").

I don't want to reveal my real name easily (though it's not difficult to find through my Blue Bubble nickname, and it's clear from the comp.risks entry and the reference to EMBL above).

Them was interesting times (and it all ended with real tragedy - if I remember names correctly, I think it was Pengo who "died"). And to add to it all, it was all taking place round the time when my older son was born in July 1987.

If you want more details, PM me.

Indeed, an interesting period of my history. I feature in the book :o

I was the whistle-blower.

Wow.

There was a simple way to get into a computer protected with a BIOS password. You just open open up the computer and disconnect the BIOS battery for a few seconds, so it forgets it ever had a password.

Not very useful... most users don't even know how to get into BIOS, let alone how to set the password.

(I'm not even sure if computers still use a battery for BIOS either. It's been a few years since I've messed around inside of one.)

It is nugger to get to as well, but hey if you have the time, it works. Many techs have to do it at work, there are machines that do not have the standard IT password because they were set up in the old days before the unified IT department.

One of these gets a problem and you need to get into the system but the employee who enterd 'my little pookey' is unknown, not employeed and was a moron to begin with. So pop out the BIOS battery and wait.

Although the LINUX trick sounds good.

There's an even simpler method. Type "override security" and here's the trick, do it twice the second time in a masterful manner. Seen it in the movies.

There was a simple way to get into a computer protected with a BIOS password. You just open open up the computer and disconnect the BIOS battery for a few seconds, so it forgets it ever had a password.

Not very useful... most users don't even know how to get into BIOS, let alone how to set the password.

(I'm not even sure if computers still use a battery for BIOS either. It's been a few years since I've messed around inside of one.)

Well, usually there are "master passwords" for BIOSes. At least back then when i was working in a computer company, assembling and servicing machines, we got lists of master passwords for the various BIOS revisions of several manufacturers, like AMI, Award or Phoenix.

With the rise of the internet, partial lists are also available online now. Like this one (http://www.xs4all.nl/~matrix/mpwlist.html) for example. With some spare time you can search the net and compile a bigger master-password-file out of all the lists you find. However, most of these lists don't tell you what password is valid for what revision of the BIOS.

BIOS passwords are usually the weakest ones in terms of protection, since they can be overridden easily by using such lists.

Don't know if that's the still valid today, but i guess it is.

Greetings,

Chris

I read once where a mans computer was confiscated because the police suspected he had child porn on it. Apparently the portion of his computer with the alledged porn was protected by a very well executed password. He refused to give them the password using the fifth amendment. I don't know how this turned out. The police said they were going to get help cracking the password but like I said I have no idea how this turned out.

As I recall it turned out that the judge decided that refusing to give the password was the equivalent of refusing to hand over your private files, not the equivalent of refusing to give testimony against oneself. In other words, it's contempt of court and you can sit in a cell until you remember the password.

Well, the BIOS battery trick doesn't work on a lot of machines. Try it on a laptop sometime :)
I remember a couple of tricks I did in my youth: replicating the BIOS password screen with a C program, disabling C-A-D and leaving the machine turned on at night, so when the IT manager came in in the morning they dutifully typed in the password, thought to themselves "I must have got it wrong" because my app said they had, all the while logging their keystrokes.
Tricking people is the easiest thing. We used to send mail from other people's accounts by the cheesiest trick in the book - edit the binary, find an instance of "%s" near "please enter your password" and change it for a carriage return. On systems which didn't do any encrypting, which was common back in the dark ages, this resulted in the program comparing what you typed with an empty string. Once you were in, you could do anything.
Some machines in said dark ages I remember were secured with physical locks instead of passwords. Two paperclips and 60 seconds in front of the terminal meant you could add another account with admin rights and come back in a week to use it. Once you have access to one thing, you can get access to more.
Things aren't much different now - the technology has improved, but the ways around it are often still, like magic tricks, a lot simpler than you'd guess.

Yeah, it tends to not work on modern laptops. The reason, of course, is because they are so easy to steal. The password is now stored in separate non-volatile memory that doesn't require battery power. Sucks if you forget it, but it can be reset by the manufacturer if you can prove ownership.

The only actual need for a battery is to power the clock, and even this isn't needed most of the time because laptops tend to always have a battery plugged in anyway, and desktop machines have standby power even when you turn it "off" (most people don't seem to realize this, but the machine has access to 5V up to about 1A even when off).

Them was interesting times (and it all ended with real tragedy - if I remember names correctly, I think it was Pengo who "died").


It was Hagbard (http://en.wikipedia.org/wiki/Karl_Koch_(hacker)).

(most people don't seem to realize this, but the machine has access to 5V up to about 1A even when off).


My desktop doesn't... I've set up a seperate switch that turns off the power to the 4-in-one powerboard the computer/monitor/printer is plugged into. It bugged me that when the computer was off, the monitor would still have standby-power and the optical mouse would light-up every time I bumped it.

:)

I liked how the old computers had an actual power switch instead of a silly on/off button.

It was Hagbard (http://en.wikipedia.org/wiki/Karl_Koch_%28hacker%29).


Ah, yes, thanks, of course it was Hagbard. It was with Hagbard I had my initial on-line "conversation" that alerted me to the goings-on. Tragic and sad though his death was, he was extremely naïve.

This brings back floods of memories.

There is also session hijacking or "side jacking" which bypasses the need for password cracking.


http://en.wikipedia.org/wiki/Sidejacking#Methods

Just a note:
There is a difference between passwords that are encrypted via a two-way algorithm and a password that goes through a one way hashing algorithm such as MD5 or SHA.
For example, the hash of the string "foo" is "acbd18db4cc2f85cedef654fccc4a4d8"
Attempting to get foo from that string, without using a dictionary, would take a lot more computer power than a password that has been encrypted using a two-way algorithm.
An easy way to avoid a brute force attack that uses a lookup table, is to salt the password:
$salt="foo";
$hash_to_be_stored_in_db m = MD5($password . $salt)

It's true that passwords are typically hashed when stored in a databse - so if an attacker steal the database he only has access to the hashes and can't easily know which plaintext password is responsabile for which entry.

But I have no idea what you mean when you say that "a password that is encrypted via a two-way algorithm" would take less computer power to decrypt. Two-way encyption algorithms (also called synchronous encryption algorithms) are used in completely different contexts for completely different purposes, and varely rarely to encrypt "passwords" (unless you're assuming that password = session key). And modern two-way algorithm are considered impossible to break in practice (at least with regard to a brute-force break). In fact, giving the state of the SHA familly of algorithms, I would put my trust on AES way before SHA-2 or even SHA-256 (assuming these algorithms were used in the same contexts, which isn't the case).

I read once where a mans computer was confiscated because the police suspected he had child porn on it. Apparently the portion of his computer with the alledged porn was protected by a very well executed password. He refused to give them the password using the fifth amendment. I don't know how this turned out. The police said they were going to get help cracking the password but like I said I have no idea how this turned out.
As I recall it turned out that the judge decided that refusing to give the password was the equivalent of refusing to hand over your private files, not the equivalent of refusing to give testimony against oneself. In other words, it's contempt of court and you can sit in a cell until you remember the password.
Actually, I believe the opposite occurred (http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663.html). It definitely remains a contentious issue, though - I believe there was a fraudster who was held indefinitely in contempt until he revealed the location of known-but-not-identified foreign accounts with his ill-gotten gains.

The difference may be that the latter might have been a civil action, or there may have been sufficient evidence already to convict the guy and the judge was just attempting to compel restitution in line with the verdict.