Posts in Category: Cracking

Password and Key Cracking 

Tuesday, October 13, 2009 4:26:00 AM Categories: Cracking Passwords/Keys
Passwords and keys are different things.  Passwords are normally used to confirm/validate that a user for access or communication. A Key is the code that will encrypt or decrypt data. Sometimes passwords are used as keys, or more commonly keys are generated from passwords. Although they have separate purposes, and are usually very different in length, the methods used to crack them are normally fairly similar. On this page I will use the term “Password”, as this is normally the weaker of the two, but the same attacks can be performed on Keys.
 
The most common are:
 

Dumpster Diving

This is used by identity thieves too. Many people print codes and keys, especially for things like wireless networks so that staff can configure codes correctly. If these are just “thrown” then they can be found and used.
 
 

Social Engineering

This is where social and cultural tricks are used to gain access to secure areas. For example: someone rings you stating they are from your IT Department and need your password in order to test something. Or a man dressed in the right uniform just strolls into the server room, loads hardware onto a trolley and leaves.
 

Brute Force

Every combination of values is tested until one works. This is the single slowest way of cracking.
 
Normally a process like this iterates through every combination of every character, a-z then A-Z then 0-9 and then all the funny extra characters like quotation marks and other such symbols. If a password was only 1 character long, that’s not many options. However, every extra character exponentially increases the number of combinations.
 
Let’s assume only characters can be used – just lower case.
a-z = 26
 
Number of Characters
Number of Combinations
1
26
2
676
3
17,576
4
456,976
5
11,881,376
6
308,915,776
7
8,031,810,176
8
208,827,064,576
9
5,429,503,678,976
10
141,167,095,653,376
 
Let’s assume only characters can be used, upper and lower case.
a-z = 26
A-Z = 26
Total = 52
Therefore, a total of 52 different combinations with only 1 character. But if you include 2 you can have aa, ab, ac, ad, etc. all the way through to ZZ. Therefore the combinations multiply and come to 2,704 combinations.
Number of Characters
Number of Combinations
1
52
2
2,704
3
140,608
4
7,311,616
5
380,204,032
6
19,770,609,664
7
1,028,071,702,528
8
53,459,728,531,456
9
2,779,905,883,635,710
10
144,555,105,949,057,000
 
You should be able to see that the number of combination changes greatly depending on the length of the password and the number of characters in the password.
 
This is why some web sites mandate a minimum length and a inclusion of numbers.
 
The more combinations there are, the more possible passwords that AREN’T yours there are likely to be, so your password gets lost in the crowd. So the strength comes from the “maximum” number of combinations.
 
In computer terms the “character” is the bits. 1 bit has two options, on or off. Two bits have 4 combinations.00, 01, 10, 11. Every additional bit doubles the number of combinations so that 8 bits can form 256 unique combinations. This is what is meant by the bit length of encryption.
 
 

Dictionary Attack

Similar to Brute Force, except instead of trying every possible character the attack is “loaded” with likely passwords and keys. For instance, most passwords are words, or based in part on words. The Dictionary Attack still provides for variation, but the variation is based on likely combinations.
For example, the following is just a small example as to variations that might be created from the dictionary word “password”
Password
pAssword
pa55w0rd
password452

 

Copyright 2006 Blog Author