Results 1 to 8 of 8

Thread: Password Info

  1. #1
    Join Date
    Sep 2001

    Password Info

    Picked this up while I was browsing, thought ya'll might find it informative.

    Safety in numbers...and letters...

    Submitted By : Michael Bloch

    Published Date : 25th October 2001
    Viewed : 1028 times

    As we spend more time out on the Internet, our passwords list grows as a great number of the services we access require authentication. We are tempted to use the same password over and over, or to use easy to remember words.... a very unwise practice.

    The other night I needed to access a Word document that I compiled a couple of years ago. Being a bit on the security conscious side, I had applied a password to it and guess what?...

    I had forgotten the password I'd used...

    So I set about running a little utility that would extract the password for me. I settled back with my cup of Moccona Indulgence, contemplating the complexities of toenail clipping while I waited for the password to be revealed along with the cheery "ding!" that would signal success.

    I waited and waited...and then waited a bit more. I went to bed reassured in the prospect that it would be finished by the morning. And it was; only because I remembered the password. Over 750 000 000 password combinations had been flung at the file and it was still going. My poor PC still hasn't forgiven me...

    There are a number of articles available on "how to choose a good password", so I won't reinvent the wheel, but simply provide a few statistics on how long it would take someone to hack a password under certain conditions - to illustrate the importance of having long passwords.

    The times stated here are in relation to "brute force" attacks. A brute force attack is carried out by a program that throws every possible combination of letters and/or numbers and/or other characters at a file. Another popular form of cracking/hacking is a dictionary attack which utilises a (very large) file of commonly used words, names, film titles etc and some word substitutions (forwards, backwards,numbers for words,words for numbers). This is why it is never wise to use your name as a password. A cracker can very quickly extract passwords using dictionaries.

    There are many types of brute force programs out there. The scariest thing is visiting some of these "security" sites and seeing how many times the utilities, which are often free and require no screening to access, are downloaded. One particular program had been downloaded over 40 000 times from one site. I won't name any programs for obvious reasons. The speed at which these programs work depends on a number of factors including

    The speed of the computer using the program
    The type of file being cracked (zip, document etc.)
    The location of the file (WWW or "hands on" access to the computer)
    The design of the program
    Some brute force programs only operate at around 10 000 passwords per second, others claim to run at up to 4 000 000 passwords per second on Microsoft Office files using a standard PC. For this example, I will base it on a program operating at 1 million passwords per second on an Office document where the cracker has "hands on" access to the file. Times quoted are maximum.

    4 character lower or upper case letters - under 60 seconds
    4 character lower and upper case letters - under 60 seconds
    4 character lower and upper case and number password - under 60 seconds

    5 character lower or upper case letters (e.g golde) - under 60 seconds
    5 character lower & upper case letters (e.g Golde) - approx 6 minutes
    5 character lower & upper case and number password (e.g Gold4) - approx 15 minutes

    8 character lower or upper case password - approx 58 hours
    8 character lower & upper case password - approx 21 months
    8 character lower & upper case and number password - approx 7 years

    10 character lower or upper case password - approx 5 years
    10 character lower & upper case password - approx 4648 years
    10 character lower & upper case and number password - approx 26984 years

    As you can see from the above, the longer your password the more secure it is as long as you adhere to the standard password choice guidelines.

    Some other popular methods for hackers and crackers to gain a foothold in accessing your passwords that I haven't seen mentioned in many articles include:

    Counting keystrokes as you type in your password - this can save them a lot of time
    Installing a keylogger to your machine. This is a program that will record every keystroke into a file that can be retrieved later.
    Of course, the 2 methods require the hacker to be in your presence and have direct access to your system. I mention this mainly for the teachers and I.T trainers out there who may have people in their classes eager to "strut their stuff". I once observed a training room where the students had installed a password hacking program that ran in the background onto an NT server . Since the server was on 24 hours a day, all they had to do was wait - administrators have a habit of using short, common passwords.

    At the end of the day, no password is long enough and no security system is bulletproof. If someone really wants to access your files or information about you, there are a number of ways to do so. Taking proper precautions will eliminate the opportunist hackers, who aren't really hackers at all, just bored people who are.....let's just say....."socially challenged".... ;-)

  2. #2
    Senior since the 3 dot era
    Join Date
    Nov 2001
    8 character lower & upper case and number password - approx 7 years
    I'am not happy to say this but this nfo isn't really accurate:

    I used some 8 character lower & upper case number and symbol password (much more complicated then only numbers and upper and lower case) and it could be cracked with a distributed option on L0pht 3.0 in 'only' 241 days when using 4 pc's. (a P4 1800 Mhz, a P2 300 Mhz, a P1 166 Mhz and a P1 133 Mhz)

    If you run a crack prog on let says 4 boxes with a P4 it would take even less time

  3. #3
    Join Date
    Sep 2001
    Maybe so Im not sure I just picked it up and liked the theme, didnt really get into it, takes for pointing it out VictorKaum!

  4. #4
    I know everyone here is familar with nftsdos,lophtcrack and the like.Here is a tool(original link credit to petemcevoy) that can reset the admin password on win2000 boxes(nt4.0 as well)
    You simply boot from it and it allows you full access to all regisry hives as well as the SAM. Just set that admin password to whatever you like.
    That is if I am reading the info correctly/
    What do you guys(girls) think about that?

  5. #5
    Sorry...I all that hot air and I forgot to post the link:

  6. #6
    Senior Member
    Join Date
    Nov 2001

    Re: Password Info

    Originally posted by Ennis
    10 character lower & upper case and number password - approx 26984 years
    What's the estimate on a 24 character upper/lowercase & numbers password?

    The number of possibilities introduced when using an alphanumeric string instead of a numeric string are exactly why Canada Post decided to use Postal codes in [X1X 1X1] format. There are (If I did my math correctly) 17 576 000 possibilities (26*10*26*10*26*10 -- please correct me if the math's wrong) with only those six characters.

    As a network admin, I ALWAYS force my users to use passwords that have a mix of uppercase and lowercase letters, as well as numbers.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Yea the formula you used to calculate this

  8. #8
    Senior since the 3 dot era
    Join Date
    Nov 2001
    I didn't calculate this one.

    I did it the 'empirical way'

    I made a setup with some NT4.0 box to test this (passwd = 8 char upper / lower case / numbers / symbols)

    I took the SAM file with another machine on the same network and runned L0pht, the new version gives you the possibility to split the hash into more parts so you can distribute the parts to other machines running l0pht. L0pht then gives on each box an estimated time to crack the passw. I made the sum of the estimations on each box and so I got the result that I posted here.

    And yes your (larryjs) method of reseting the passwd is some powerfull issue but only when you have physical access to the box. If you are working from distance this wouldn't be an easy method.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts