Sunday, July 15, 2007

Password Cracking and Security: Part 1

Introduction:
Many times the only thing stopping a hacker from accesses your data is a username and/or password. A strong password will insure that nothing gets leaked. A password's strength can broken down into: numbers, letters(lower and UPPERCASE), symbols, and length.

Most hackers will try the default passwords first. (and I have to say I have recovered many a password by having that list handy) Examples include, but aren't limited to: admin, root, password, pass, password1, default, and.... so on and so forth. View larger sample (router default passwords)

Definitions:
If he can't get in with the default passwords he may step up the attack to a dictionary attack or brute force attack.

  • A Dictionary Attack -- which is where he takes a list of words from the dictionary and other sources(like acronyms, foreign words etc) and trys each one to see if it is the password. He may also add numbers such as a 1 or a 2 to the end for a quick check. If your password is a single word or a phrase, such as "hardcrack" or "notime" then the attacker will be inside your account(s) in a matter of hours or days.
  • Brute Force Attack -- this is where the attacker attempts every combination in the book, and out of the book. Normally he selects the category and length he wishes to try. The script he has made will then try an alphabetical/numeric/symbolic attempt 1 by 1. e.g aa, ab, ac... ax, ay, az, a1, a2, a3, ... a7, a8, a9, a0, a!, a@, a#..... Oh yeah, I can't forget to mention that he also has to try Uppercase and lower case letters. This can end up taking forever since time to try the passwords compounds itself.
    (Check back for Password Cracking and Security: Part 2 Word, Excel, and Zip brute force demonstration)
THE Protection TIPS:
The more combinations you use in your password the harder it will be to crack. The most secure passwords contain a mix of the items noted above. Now you may be thinking how in the world am I going to remember such a complicated password? Here are some tips:

  1. - Develop an algorithm for your passwords. The password to your "mail" could be MaIl6245 and the password for your computer could be cOmPuTeR26678837. With the algorithm being: Subject name, alternating upper and lower case, and then the corresponding numbers from a phone keypad.

  2. - Use geometric shapes to remember your password:






    Each button would be pressed and make up passwords that look hard, but really when you sit down to type are easy to remember. (Picture shows passwords: "e3dcft654" and "8ik./lo9")
  3. - Another way to remember your password is to write it down...
    BUT don't just leave the paper lying around for someone to find. Put it in your wallet, or other safe place (and that doesn't include your monitor) Plus, hide it in such a way as not to make it obvious. e.g. if your password was MaIl6245 mix it up --- put "MaIl" on one line and 6245 on another line on the index card.


  4. Don't type your password in straight. What I mean is type your password in backwards, out of sequence, and add extra keys to confuse the keyloggers. When you are on a computer there are programs called keyloggers that will log every stroke you make. It doesn't matter how strong your password is, if the computer has a keylogger, then the keylogger's master can get it easily.
    Also, use the mouse, not the arrow keys to move around in the password field. Most keyloggers that I have tested can't pick up mouse movements.
    For Example lets say you have a password of abc123 (though not especially safe, it is alphanumeric). If typed :Then it will show in the keylogger: 123xabnc
    And unless the keylogger can log backspace/left/right arrows then whoever looks at it will be confused, and hopefully pass you by.

    If you want to try out a keylogger I recommend:
    FREE:
    Tiny KL - http://home.rochester.rr.com/artcfox/TinyKL/ OR
    Actual Keylogger - http://www.download.com/3001-2092_4-10541792.html
    Or you can try out my all time favorite:
    $19.99
    Winspy - http://www.win-spy.com/ (feature list is amazing)

  5. - You may even want to use a password storage program. Firefox has a built in password manager which I recommend using --- so long as you add a master password (Tools--> Options, Security Tab, Check "use master password" and click "change"/"setup password"). You can also use Roboform which works well to remember Internet Explorer and Firefox passwords. Most of the time a password gets added by you typing it in and selecting you want Roboform or Firefox to remember it.

    What I did for a while with my passwords was I kept them in Firefox's list (practically all of my vital passwords were for websites) . Then I created a master password using symbols and letters and stored a hard copy of that in my wallet. For passwords that were not in the browser(like the screensaver) I just picked 1 tricky alpha/numeric/symbol password and used it over and over till I had memorized it --- that is one thing I have found true to remembering passwords, if you have to type it every time you start windows(however infrequent that may be :-P) you will tend to remember the password better.

    If you have passwords outside the browser (like to get into Windows) it is best to keep them in a protected password manger program or password protected Word or Excel document with auto recovery turned off (so no cache copies remain on disk) which is located on a keydisk(which can be hidden under your bed, the place every robber looks ;-P).

    Note: I personally don't trust any password manger program, and just use a combo of MS word, MS excel, and zip files to keep my passwords manged and safe.


    Now there are some people that argue that you need to have better Encryption for your passwords. Two good applications for that are Blowfish and TrueCrypt . If you need any help with them feel free to leave a comment, but for now I don't have room in this post to go into details about encryption. (both are free)


    Another problem with passwords that I have found is that people make a great secure password only to have a very simple password recovery question. Like their birthday. Chances are if they have a myspace or something else online where a birth date or father's name, age, favorite place to vacation is posted, etc. then they might as well have no password at all. A hacker can get your password just from those backdoors...

    This is why many companies and individuals have selected to use a security disk instead of passwords. Security disks(USB or Floppy) hold a password generated from the make up of a file or a longer password. The only way to log on to the computer is with that keydisk or the longer password thereby eliminating the need to type the password in each time. This allows you to select a password that you wouldn't ever think of using before. (e.g. you could make a password out of the 255 first characters of the definition of A in the Dictionary) TrueCrypt has some of these features.
End Notes: As you probably can tell, security is an ongoing, never ending
"black art". You are never completely secure. Hackers find exploits, create newer tools, and trick you with their looks and charms :-P. But what you have to do is take steps to be more secure; increase your security to the point that you are so hard to reach, you become not worth the time. Be creative. There is a saying "to prevent a robber you must think like a robber." The same goes for Hackers.

Stay informed, be alert, and if you think security has been compromised, You better pick a new PWD FAST. Trust no-one, not even your yourself.


EDIT INCLUDES MINOR GRAMmATICAL/SPELLING CHANGES.

2 comments:

FMAddicted said...

thanks for the details... i got it... it was so important especially for newbies...

btw nice background :)

Blake said...

Good post, fix the blowfish and TrueCrypt links. I would change Dictionary hack to dictionary attack and brute force crack to brute force attack.