Thursday, December 23, 2010

Password Cracking

Password cracking is the process of discovering passwords from data that has been archived or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. In cyber operations the purpose of password cracking is to gain unauthorized access to a system, or as a preventive measure to check for easily crackable passwords.

The top ranking password cracking software packages, out of a large collection, are as follows:

Cain & Abel is a password recovery tool for Microsoft OSs. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. *

John the Ripper is a fast password cracker, currently available for Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. **

Hydra is a software project developed by the "The Hacker's Choice" (THC) organization that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services. THC-Hydra offers most developed password brute forcing. ***

L0phtCrack offers hash extraction from 64 bit Windows, multiprocessor algorithms and password recovery.****

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. It estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and randomness.

It is usual to estimate password strength in terms of information entropy, measured in bits, a concept from information theory. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search.

In cyber operations it is mandatory for the monitoring software at the Network Control Centers (NOCs) to run periodic verifications of every user security classification of how easy is to crack their passwords. DoD must include in every application a Password Assistant window that will reflect the implementation of security assurance policies. As a general rule in the case of cyber operations this will require at least twelve characters made of numbers and letters.