One Step Ahead: Almanac Security Tips - 2013

Table of Contents (view all)

Spring Cleaning Your Office? Know What to Do with E-Waste
Keep Your Identity Safe When Filing Taxes This Year
Why use Penn+Box when Storing Data in the Cloud
Mobile Device Security - 3 Recommendations for Cloud Users (Hint: That's You!)
Be Aware of QR Code Risks
It’s Data Privacy Month: Update Your Facebook Privacy Settings and More
How Are You Celebrating Data Privacy Month?
Stay Secure while Working on Public Wi-Fi Networks
Protecting Your Finances During This Year's Holiday Shopping Season
Cloud and You
Security and Privacy Online Training & Tools
October: Free Secure Disposal of Paper and Electronics at Employee Resource Fair; NCSAM
Student Privacy - What Do I Need To Know? A FERPA Reminder
Top 10 Tips for Securing Your Smartphone or Tablet
Working Off Campus? Some Tips to Consider

Whats popular?

Tagged with security , passwords

Tuesday, October 20, 2009 - Almanac Vol. 56, No. 8

Password Cracking: The Pot of Gold at the End of the Rainbow

One of the "holy grails" coveted by hackers when they compromise a system is the file which contains the passwords for all the users on that system. The passwords are stored in encrypted form, of course, but if a hacker can decode or "crack" the encryption the reward is a valuable set of user credentials, especially if the system in question is a large, heavily used server. "Cracker’s Dictionaries" have been used for this purpose for several years, and these typically are pre-compiled lists of more than one million potential passwords comprising not only all known English words (including proper nouns), but also variations used on them, e.g. "crooked" and "cr00k3d".

In recent years, however, hackers have also made extensive use of "rainbow tables," a sort of "reverse dictionary" which contains the encrypted values for all possible passwords of a given length, indexed to their associated passwords. It sounds unbeatable, but there *are* limitations. Rather than mere hundreds of thousands of entries, "rainbow tables" will sometimes contain entries numbering into 25 digits or more (septillions), and this requires enormous amounts of memory and disk space to make use of. Also, many computer systems "salt" their password files with special added data that diminish the effectiveness of these attacks, though some systems (especially older Windows systems) have been shown to be vulnerable. One researcher, using a widely available "rainbow" tool, reported cracking a Windows password "Fgpyyih804423" in less than three minutes!

Most cracking dictionaries and rainbow tables tend to discount or overlook the use of "special characters" in passwords (those produced using the 'Shift' key and the top row of the keyboard - !, @, #, $, etc.), so using one or more of these when selecting a password is good protection against its being "cracked."