Password Cracking

Articles

When it comes to account security, server side protections are usually just half of the equation. It doesn’t matter if the server where your account is hosted on has no bugs or security flaws, if you’re not using a safe password; chances are you will have your account compromised by using a strong password cracker.

There are several methods of password cracking, but at the base level, every single method’s function is to generate large numbers of sample passwords to test against the username. The most common methods of password cracking are the dictionary-based attacks, wherein the cracking software uses a large database of words and strings that may match against the account, pattern checking, which checks the kinds of words that usually go together, and word list substitution, which compares words against a list of possible combination and tries to substitute each one in the hopes of coming up with a match. The most effective, yet significantly slowest password cracking method is called the Brute Force method, which functions by trying every possible key or password type and combination in order to strike a match. As has been mentioned, the downside to this is speed. Success is inevitable, but there are times when a simple password such as “h!%$fGH” would take days, or even months to crack with a single computer working on the job. In fact, there was one case in which Distributed.net only managed to crack a 64-bit RC5 key after four years, using 300,000 different PCs at different times, which managed to generate around 12 billion keys per second.

Technically speaking, the success rate of a password cracker depends largely on the number of KPS (keys per second) a computer is able to generate, and the number of actual computers working on the cracking project. As a rough estimate, the average desktop computer will do poorly with cracking, with modern computers as of 2007 being able to generate an average of one to ten million keys per second. However, there are dedicated password crackers with Field programmable gate arrays that can do a sterling job. For example, the NSA has built a dedicated password cracker called “Deep Crack” which can generate 18 billion keys per second.

Currently, the best defense against password crackers relies on both the server and the user. The server does its job by limiting the number of failed login attempts a user can have, while the user himself can prevent being compromised by using a strong password generator to generate a safe password regularly, and changing his account’s password in random intervals. Another safeguard you should employ is to avoid using the same password for more than one account. Each of your accounts should have their own password, this works to protect you from the worst-case scenario where a hacker managed to get one of your account information. In this case, your other accounts will still be safe as opposed to having only one password for all of your accounts. The minute an individual managed to crack one of your account’s passwords, he’s going to have access to all of your accounts.