One Step Ahead: Almanac Security Tips - 2009

Table of Contents (view all)

You Can't Lose Data That You Don't Have
Password Cracking: The Pot of Gold at the End of the Rainbow
PennKey Opens Many Doors: Keep it Safe
Software Piracy
Collect Personal Documents and Computer Hard Drives for Free Shredding at the Employee Resource Fair
Don’t Use Excessive Privileges on Your Computer
Do You Google? Know How to Protect Your Privacy
Online Statements and Bill Payments: Safer Than Paper?
Updated Purchase Order Terms and Conditions Regarding Information Privacy & Security
Sanitize Word, Excel, and PowerPoint Docs Before Publishing
Exchange Sensitive Data Securely Using Secure Share
Facebook Sharing Can Be Broader than You Think: A Birthday Example
Managing Facebook's Privacy Settings for Safe Use
Be Careful with Facebook Apps
ID Theft: Are You Worrying About the Right Things?

Whats popular?

Tagged with security , passwords

Tuesday, October 20, 2009 - Almanac Vol. 56, No. 8

Password Cracking: The Pot of Gold at the End of the Rainbow

One of the "holy grails" coveted by hackers when they compromise a system is the file which contains the passwords for all the users on that system. The passwords are stored in encrypted form, of course, but if a hacker can decode or "crack" the encryption the reward is a valuable set of user credentials, especially if the system in question is a large, heavily used server. "Cracker’s Dictionaries" have been used for this purpose for several years, and these typically are pre-compiled lists of more than one million potential passwords comprising not only all known English words (including proper nouns), but also variations used on them, e.g. "crooked" and "cr00k3d".

In recent years, however, hackers have also made extensive use of "rainbow tables," a sort of "reverse dictionary" which contains the encrypted values for all possible passwords of a given length, indexed to their associated passwords. It sounds unbeatable, but there *are* limitations. Rather than mere hundreds of thousands of entries, "rainbow tables" will sometimes contain entries numbering into 25 digits or more (septillions), and this requires enormous amounts of memory and disk space to make use of. Also, many computer systems "salt" their password files with special added data that diminish the effectiveness of these attacks, though some systems (especially older Windows systems) have been shown to be vulnerable. One researcher, using a widely available "rainbow" tool, reported cracking a Windows password "Fgpyyih804423" in less than three minutes!

Most cracking dictionaries and rainbow tables tend to discount or overlook the use of "special characters" in passwords (those produced using the 'Shift' key and the top row of the keyboard - !, @, #, $, etc.), so using one or more of these when selecting a password is good protection against its being "cracked."