Password Guessing

Thu, May 21, 2009

Uncategorized

One of the more common cracking methods used is password guessing. Luckily (or unfortunately) it is one of the least efficient methods used. Password guessing comes in two forms of attacks:

  • Brute force attacks
  • Dictionary attacks

Brute Force Attacks
A brute force attack is exactly as it sounds – brute force. It it is an attack to thwart a cryptographic scheme by guessing all permutations of a particular character set and length. For example, if our cracker knew the password was four digits, the maximum amount of guesses needed would be ten thousand. Since the password is four characters in length, and each character can be a digit we have:

10 10 10 10 = 10,000

Which yields ten thousand passwords. A brute force attack would try each password systematically. For example:

0000
0001
0002
0003

1111

For a human to guess all of these passwords would be impractical, but with today’s technology ten thousand operations can be done in a few seconds on a single processor machine. Two tools which use brute force attacks that I have used are BarsWF and LOphtCrack. BarsWF is incredibly interesting as it uses CUDA which makes use of your GPUs as well as your CPUs to crack an md5 hash. I was computing close to 100,000 hashes per second!

Dictionary Attack

A dictionary attack is similar to a brute force attack, except rather than trying every combination, it only guesses password from a file provided by you. Granted, this method is not guaranteed to work, but it is guaranteed to finish before your grandchildren are born. Remote-exploit.com released a tool called CUPP which allows you to generate personalized dictionaries.

Security

Some of the security I employ to stay safe (from both a client and server perspective) are:

  • Use complex passwords – Not your wifes name or even your wifes name concatinated with her birth year. Use something truly difficult like: 4k!da9dCaF. A dictionary attack will not be able to break this password (unless you are really unlucky) and it will take a brute force program a really long time to crack.
  • Implement a lockout or wait time (or both). A brute force attacker will try thousands of passwords per second. If you can disable the account after five incorrect password attempts, and after a certain time period reactivate the account, the attacker is screwed.

Tags: , , , , , ,