MODULE NO.28: Password Cracking

Size: px

Start display at page:

Download "MODULE NO.28: Password Cracking"

Constance Lewis
6 years ago
Views:

1 SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28

2 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature and Extent of Password Cracking 4. Methods of Password Cracking 5. Countermeasures for Password Cracking 6. Summary

3 1. Learning Outcomes After studying this module, you shall be able to know about- The significance of Passwords Common approaches of password cracking Some methods for the prevention from password cracking 2. Introduction Using passwords and password management practices for providing access rights is a technique that is as longstanding as the antiquity of operating systems. Passwords are a system designed to be responsible for authentication. There are various methods to authenticate users of a system, such as, a user can use a physical object like a key card, or prove his identity using a special characteristic like a fingerprint, or use something that only the user knows. In contrast to the other methods discussed, a major advantage of using authentication through a password is that in the event that the password becomes compromised it can be effortlessly changed. The majority of computer systems are still protected mainly with a user name and password, and a lot of users employ the same password on multiple systems. With the rapid expansion of internet technologies, social networks, and other related areas, user authentication becomes increasingly essential to protect the data of the users. Password validation is one of the extensively used methods to achieve authentication for authorized users and defense against impostors. There have been countless password cracking techniques developed during the past years, and individuals have been forecasting the countermeasures against password cracking all along. Password hacking is one of the easiest and most common ways hackers get hold of unauthorized computer or network access. Although strong passwords that are difficult to crack are easy to generate and retain, users often neglect this. For that reason, passwords are one of the weakest links in the information- security sequence. Passwords exclusively depend upon confidentiality. After a password is compromised, its original owner isn t the merely one who can access the system with it, but the imposter can also do. Hackers have countless methods to obtain passwords. They can gather passwords only by enquiring for them or by eyeing over the shoulders of users as they type them in. Hackers can also acquire passwords from local computers by using various types of password cracking softwares. To obtain passwords from across a network, hackers can use remote cracking utilities or network analysers.

4 3. Nature and Extent of Password Cracking The password has been used to encrypt the data or message for a long time in the history and it leads to a discipline known as cryptography. Additionally, with the rapid development of computer science, the password is now also regularly used for the user authentication issue, which is very important to the internet security. There are generally four means of authenticating user identity based on: 1) Something the individual distinguishes, such as, passwords, PIN, answers to specified questions, 2) Something the individual owns, such as, tokens like smartcards, electronic keycards or physical keys, 3) Something the individual is having naturally like static biometrics, e.g. fingerprint, retina, face, and 4) Something the individual does like dynamic biometrics, e.g. voice pattern, handwriting, typing rhythm In the different ways and means, password authentication is broadly used line of defense against trespassers. In the password authentication system, user identification determines that the user is authorized to access the system at the user s rights. It is also from time to time used in discretionary access control meaning that others can login using the privileged identity. When user make available the name or login and password, the system equates password with the one stored for that identified login. On the other hand, some users do not take note to the privacy or intricacy of the passwords with an assumption of having no such confidentiality collections upon internet. This allows the mischievous crackers to create the damage on the complete system if they are provided with an entry point to the system. Additionally, the higher speed computational processors have made the threats of system crackers, data theft and data corruption easier than earlier.

5 4. Methods of Password Cracking Since passwords remain the most extensively used mechanism to authenticate users, obtaining the passwords is still a common and effective attack approach. The traditional password cracking methods include defrauding, stealing, user analysis, algorithm analysis and fully guessing, among others and some of them are discussed below: 4.1 Stealing Password Stealing can be accomplished by eyeing around the person s desk, shoulder surfing, sniffing the connection to the network to get unencrypted passwords, gaining access to a password database and malware. In the shoulder surfing, hackers will take the appearance of a parcel courier delivery man, service technician or something else to make them get access to an office. In the malware attack, the key logger or screen scraper is usually installed by malware that can record everything the user types and take screen shots during the login process. Besides, some malwares try to look for the existence of a web browser client password file and copy the available passwords from the browsing history. 4.2 Defrauding One more way to gain the password is to defraud the users by social engineering or phishing on line. One instance is to telephone an office pretending as a expert IT security technician and ask for the users account or network access passwords. In the phishing attack, users will receive a phishing that contains links leading to simulated websites such as the online banking and payment, etc. and makes some appalling problem to the accounts security. 4.3 User Analysis Users have a tendency to to generate the passwords based on the things they habitually chat about on social networks or somewhere else. Password crackers are likely to look at this kind of information and make a few speculations during the cracking of passwords. The hackers can reduce the password cracking time by the analysis of the special users according to their characteristics, such as the individuals name, job title, interests, relations, hobbies, and so on. One of such kind of attack is known as Spidering. The hackers understand that many corporate passwords are generated by connecting to the business itself. They attempt to construct custom word lists by the studying of corporate literature, website material and listed customers, etc.

6 4.4 Algorithm Analysis Algorithm analysis attacks focus on the used encryption algorithms such as the cryptanalytic attacks which are also used in the decryption of ciphertext. It depends upon the nature of the algorithm, selected knowledge of the common characteristics of the text and some sample of plaintext- ciphertext pairs. This kind of attack abuses the characteristics of the algorithms to attempt to gather a specific plaintext or the keys. 4.5 Completely Guessing The widely used kind of method for password cracking is the entirely guessing, which includes the dictionary attack, brute-force attack, hybrid of dictionary and brute-force, rainbow table attacks, etc. Dictionary Attacks: It is the most commonly used manoeuvre to break into the system. In the dictionary attack, a large dictionary containing of possible passwords (frequently used passwords, e.g. the common dictionary words, the combination of several words, etc.) is used by the hackers trying to gain the access to the users computer or network. The common tactic is to applying the similar encryption method to the dictionary of passwords to compare with the copy of an encrypted file containing the passwords. Brute-force attacks: Brute-force attacks can crack any password if given ample time. Brute-force attacks attempts every combination of numbers, letters, and special characters until the password is discovered. Brute-force attack guesses the password using a random approach by trying different passwords and anticipating one works. This methodology is different from the dictionary attack in the use of non-dictionary words, which can contain all possible alpha-numeric even special character combinations. Rainbow Table Attacks: In the rainbow table attacks, the hackers use a rainbow table that is a list of pre-computed hash values for all encrypted passwords. Rainbow tables contain a connection between a hash value and its corresponding password. By having this connection pre-calculated for all possible hash values, a quick search through the tables for a desired hash value can reveal the password.

7 5. Countermeasures for Password Cracking The protecting of passwords from compromised and unauthorized use is a vital issue since the passwords remain the most popular approach for authentication. The countermeasures for password cracking could be accomplished in two stages generally, i.e. the password design stage and after the generation. 5.1 Password Design Stage User Education: Users can be educated with the importance of using strong passwords and be trained how to generate hard to guess passwords using some password selection tactics. For instance, the password must contain capital letters and small letters, numbers, and special characters. The length of the password must not be less than a certain number or the use of passphrase which is generally longer than a word or the use of beginning characters of each word in a memorable sentence, etc Dynamic Passwords: Use of one-time password, dynamic password and static password are proposed by several experts, of which one-time password is one way to provide a high level of security. The dynamic password stipulates that the password is changed frequently or at a short time interval while the static password means the password is the same for all the time when logging on the system. The organization could force some requirements for the users to change the passwords periodically, e.g. weekly, monthly, or every half-year. In a one-time password scheme, a new password is required each time when the user log on the account to prevent the hackers from using a pre-compromised password. The length of time interval can be based on the sensitivity of the protected information Use of Token: The password can be generated by using some security tokens that are used to ease authentication by authorized users of computer services. The token may be a physical device such as the smart cards. The password appearing on the token can be changed regularly with a time interval, which achieves the dynamic password mechanism and reduces the importance of stolen passwords because of its short time validity.

8 Furthermore, regularly shifting password decreases the likelihood of successful cracking by brute-force attack if the attacker uses the password list within a single shift. After the user types in the password appearing on the token the password on the server site may be already changed to the next one due to the time delay. The token can be also equipped with inserted switch algorithms. In this case, the user types in the numbers appearing on the token then the calculator will generate a password using the inserted algorithms Computer Generated Passwords: Users can also use the computer generated password for their account. Using some pre-design, the computer generated password ordinarily makes sure a certain length contains special characters and is un-pronounceable, which is difficult for the hackers to crack successfully within a short time. However, computer generated password is not easily to remember for the users due to the fact that it is mostly meaningless. 5.2 After the Generation of Passwords Reactive Password: Checking in a reactive password checking approach, the system intermittently runs its own password cracker to find guessable passwords. The system will cancel passwords that are guessed and notifies the users. The disadvantages are that it consumes resources very much and the hackers can also use this strategy to find the weak passwords if they get the password file copy Proactive Password Checker: Another way to reject the weak passwords is proactive password checking. Different with reactive password checking, proactive password checking allows users to select their own password. However the system will check if the password is allowable or not. The goal is that users can select memorable passwords that are difficult to guess. Many researchers have designed their proactive password checkers Password Encryption: The password encryption protections include the hash functions. In the computer security and cryptography, hash functions refer to the algorithms that take a variable-size input and return a fixed-size string output as the hash value. This approach ensures that any changes on the input data will result in a different hash value. There are several common characteristics of hash function including the easy computation, pre-image resistance, second pre-image resistance, and collision resistance, etc.

9 5.2.4 Access Control: The common belief is that if the hackers cannot get the password (or encrypted password) files, then the password cracking competency will be very much reduced because that the hackers cannot perform the offline guessing. According to this analysis, the password file access control is essential and efficient for the control of the password cracking and this method is used in some systems. Password file access control method also holds some weaknesses, such as the weakness in the operating systems that let access to the password file, inadvertent permission of making the password file readable, sniffing password transmit in network and weak challenge or response schemes in network protocols, etc. 6. Summary Passwords are a system designed to be responsible for authentication. There are various methods to authenticate users of a system, such as, a user can use a physical object like a key card, or prove his identity using a special characteristic like a fingerprint, or use something that only the user knows. Password validation is one of the extensively used methods to achieve authentication for authorized users and defense against impostors. The password has been used to encrypt the information or message for a long time in the history and it leads to a discipline known as cryptography. Password authentication is broadly used line of defense against trespassers. In the password authentication system, user identification determines that the user is authorized to access the system at the user s rights. The traditional password cracking methods include stealing, defrauding, user analysis, algorithm analysis and fully guessing. The countermeasures for password cracking could be accomplished in two stages generally, i.e. the password design stage and after the generation.

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.