Passwords are strings of characters used to authenticate computer system and/or users. Passwords are a widely employed form of verification and are vulnerable to multiple forms of attack. If weak then it can be guessed or easily cracked. The strength (i.e. effectiveness) of a password is a function of its length and complexity, which should be directly proportional to the sensitive of the data being protected. Security experts cite weak passwords as the most critical security threats.

Password Types

A static password is a string of characters that stays the same for each logon, although it should be changed at frequent intervals. This is the password that we normally used to access online services.

A dynamic password on the other hand, changes with each logon (aka "one-time" password). This type of password is often required to perform certain banking transaction.

Password can take many forms and can contain:

Only numbers, letters or characters 4239 - ABCEFG - $@$!(#)

A combination of two inputs types h@cking - @$42$

A combination of all inputs types Eth1c@I - 42!vwlc7t

Alternatively, a passphrase (a sequence of characteristics longer than a normal password) can be converted into a password.

alOngStr!ngOfWOrds1sStr0ng3r&3asyTOR3m3mb3r

Passwords should not be:

Created using personal information about yourself or your family - e.g., name, birthplace, nickname, pets, etc.

Formed of words out of any dictionary or book. Using known words in any language allows the cracker to take shortcuts.

Composed of proper nouns of places, ideas, or people. These words are commonly found in password cracker databases.

Reused. Do not reuse recently employed passwords again.

Variations of words (e.g. s3cr3t, 3th1c@I); concatenation of two words commonly following each other in a sentence. (e.g., ethicalhacking);

A single digit or symbol added before or after a word (e.g., ethical!); word reversal (e.g., lacihte); Key sequences that can easily be repeated (e.g. qwerty)

Science of static password

The majority of systems authenticate users with a static password. A password of clear text would provide an easy target for an attacker. To make the target less vulnerable to attack, distinct one-way hash functions or encryption mechanism are used to protect the secrecy of the password when transmitted on a non-secure network. When a user logs onto the system and enters a password, a hash is generated and compared to a stored hash. If the stored hashes match, the user is authenticated. Encryption is no guarantee of protection, hashes can be cracked.

Encryption is the process of converting plain text into unreadable cipher text. To protect passwords, they are generally put through a one-way encryption algorithm or hash function. A one-way hash function turns an arbitrary length text into a fixed length string of characters/digits. The "one way" means that it is nearly impossible to obtain the original text once the algorithm is applied to the clear text. A hash function is an efficient one-way function mapping.

Depending on the password, hashing can be weak & easy to break .For example, the password is 123456abcdef the process of hashing for the LM hash algorithm (an old Windows standard) is:

1. Convert the string to all uppercase: 123456ABCDEF.
2. Pad it with blank characters to make it 14 characters long.
3. Split it into two 7 characters strings: 123456A and BCDEF_.
4. Each string is individually encrypted, and the results are concatenated:
5. 123456A,= 6BF11E04AFAB197F
6. BCDEF_ = F1E9FFDCC7557SB15
7. The hash is 6BF11E04AFAB197FF1E9FFDCC7557SB15

Once an attacker gathers the password hashes, the next step is to generate hashes rapidly until a match can be found. Password cracking is a term employed to describe the penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password.

Keep in mind that all passwords, no matter the length, can be eventually discovered.

Even a hash-encrypted password is not entirely secure. Cracking tools are used to attack password protection reverting the hash to the plaintext password.

Four types of password attacks can be defined:

active online attacks;

passive online attacks

offline attacks

non-technical attacks.

Active online attacks

Guessing seems a fruitless task, but often successful because most users employ easy to remember passwords. People tend to use weak passwords: children's names, spouse, pet, nicknames, car model and other familiar things as their password. While other users may use the default system assigned password. Some attacks are aimed at online services and attempts to obtain access by continuously trying commonly used passwords.

This attack is almost obsolete in modern days as web sites and online services use techniques to block several successive login attempts in a short period of time. This is called password-throttling

Passive online attacks

Passive attacks are still popular especially in local area networks and Wi-Fi networks. Examples include:

Wire Sniffing - Access and record the raw network traffic; wait until the authentication sequence or brute force credentials. This can be relatively hard to perpetrate and it is usually computationally complex. However, tools are widely available for both wired and wireless networks.

Man-in-the-Middle and Replay Attacks - The attacker can obtain the authentication sequence by monitoring communication between two parties. Again this is relatively hard to perpetrate as the attacker needs to be inside a trusted environment. It is popular within wireless networks (especially those with open access). Many tools are available.

Offline attacks

Offline attacks are perpetrated using a number of techniques explained below. All of these require the attacker to obtain an encrypted password file. We will experiment with these techniques in the lab.

Stealing the SAM

Before explaining the various techniques that could be used in offline password cracking let’s provide an example of how a password file can be obtained.

Microsoft Windows stores the users password in an encrypted format in the security accounts manager (SAM) file. The SAM file contains the usernames and passwords (hash form) for every account on the local machine. By accessing the SAM an attacker has access potentially to all passwords.

The file is located in the %systemroot%\system32\config directory, but it is locked when Windows is booted.

One option to copy the SAM file is to boot to an alternate OS (i.e., Linux with a boot CD). Alternately, the file can be obtained in other methods which we will experiment with in the lab.

Once hashes have been extracted, an automated password recovery utility (using the techniques below) can be employed to crack them.

Dictionary Attack

If password policies permit dictionary words as passwords, they can be readily broken, even in their encrypted form. The simplest and quickest method for cracking a password is a dictionary attack, which uses all words in a dictionary or text file.

A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching a large number of possibilities. A dictionary attack exploits weak passwords. If dictionary words have been employed, this will be sufficient to recover the password.

This type of attack has some limitations. It cannot be used against strong passwords containing numbers or other symbols.

Brute force Attack

A brute force attack tries all possible character combinations until the password is determined. This is the most comprehensive form of attack, but it is time-consuming. This attack is generally employed as a last resort technique, as it can take a long time to crack an encrypted password (depending on complexity and length). Knowing the password policy could help. If a password contains any partial structure then the processing needed to discover can be reduced.

Hybrid Attack

It is common practice to change passwords by adding a number to the end of their password (e.g. password, password1, password2, etc.).

When policies require a mix of input types, users often resort to a simple substitution to form visual similarity passwords (e.g. h@ck1ng)

Despite adding complexity, these passwords can be cracked with software which make the same substitutions. Hybrid attacks are based on dictionary and brute force techniques by adding or substituting numbers and/or symbolic characters for certain letters in dictionary words. These attacks are faster than brute force, but slower than dictionary.

Pre-computation hashes

Many passwords are thought secure due to the time required to crack. Another technique is rainbow cracking. A rainbow table is a lookup table specially used in recovering the plaintext password from a cipher text.

Pre-computed tables reduce the difficulty in brute force cracking a password by creating a large pre-generated data set of passwords and their corresponding hashed value. Encrypted password can be compared to values stored and cracked within seconds, making it almost instantaneous. This attack reduces the auditing time for complex passwords.