Thursday 5 January 2012

PASSWORLD CRACKING

What is a password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.
How password are Stored
Some computer systems store user passwords as cleartext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.
More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system.
A common approach stores only a “hashed” form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a hash function (for maximum resistance to attack this should be a cryptographic hash function) to a string consisting of the submitted password and, usually, another value known as a salt. The salt prevents attackers from easily building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions.
Common password cracking Methods

Weak encryption

If a system uses a poorly designed password hashing scheme to protect stored passwords, an attacker can exploit any weaknesses to recover even ‘well-chosen’ passwords. One example is the LM hash that Microsoft Windows XP and previous versions use by default to store user passwords of less than 15 characters in length. LM hash converts the password into all uppercase letters then breaks the password into two 7-character fields which are hashed separately—which allows each half to be attacked individually.

Guessing

Passwords can sometimes be guessed by humans with knowledge of the user’s personal information. Examples of guessable passwords include:
  • blank (none)
  • the words “password”, “passcode”, “admin” and their derivatives
  • a row of letters from the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)
  • the user’s name or login name
  • the name of a significant other, a friend, relative or pet
  • their birthplace or date of birth, or a friend’s, or a relative’s
  • their automobile license plate number, or a friend’s, or a relative’s
  • their office number, residence number or most commonly, their mobile number.
  • a name of a celebrity they like
  • a simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the order of the letters.
  • a swear word

Dictionary attacks

Users often choose weak passwords. Examples of insecure choices include the above list, plus single words found in dictionaries, given and family names, any too short password (usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive and so predictable, pattern (eg, alternating vowels and consonants). Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by sophisticated cracking programs armed with dictionaries and, perhaps, the user’s personal information.
In one survey of MySpace passwords obtained by phishing, 3.8 percent of those passwords were a single word findable in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was 1.

Brute force attack

A last resort is to try every possible password, known as a brute force attack. In theory, if there is no limit to the number of attempts, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords.
A common password length recommendation is eight or more randomly chosen characters combining letters, numbers, and special characters (punctuation, etc). This recommendation makes sense for systems using stronger password hashing mechanisms such as md5-crypt.

Password Recovery Speeds

How long will your password stand up
This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force “key-search” attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a “lucky guess”.
See the bottom of the page for details about the classes of attack.

Classes of Attack

These are just some example speeds, I’d be interested to hear from people with more information about the speed taken to crack various types of passwords with various hardware.
A. 10,000 Passwords/sec
Typical for recovery of Microsoft Office passwords on a Pentium 100
B. 100,000 Passwords/sec
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100
C. 1,000,000 Passwords/sec
Typical for recovery of ZIP or ARJ passwords on a Pentium 100
D. 10,000,000 Passwords/sec
Fast PC, Dual Processor PC.
E. 100,000,000 Passwords/sec
Workstation, or multiple PC’s working together.
F. 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.

10 Characters

Just numbers. As you can see choosing a password from such a small range of characters is a bad idea.
Numerals0123456789
PasswordClass of Attack
LengthCombinationsClass AClass BClass CClass DClass EClass F
2100InstantInstantInstantInstantInstantInstant
31000InstantInstantInstantInstantInstantInstant
410,000InstantInstantInstantInstantInstantInstant
5100,00010 SecsInstantInstantInstantInstantInstant
61 Million1½ Mins10 SecondsInstantInstantInstantInstant
710 Million17 Mins1½ Mins1½ MinsInstantInstantInstant
8100 Million2¾ Hours17 Mins1½ Mins10 SecondsInstantInstant
91000 Million28 Hours2¾ Hours17 Mins1½ Mins10 SecondsInstant

26 Characters

The full alphabet, either upper or lower case (not both in this case).
Upper Case AlphaA to Z
Lower Case Alphaa to z
PasswordClass of Attack
LengthCombinationsClass AClass BClass CClass DClass EClass F
2676InstantInstantInstantInstantInstantInstant
317,576< 2 SecsInstantInstantInstantInstantInstant
4456,97646 Secs5 SecsInstantInstantInstantInstant
511.8 Million20 Mins2 Mins12 SecsInstantInstantInstant
6308.9 Million8½ Hours51½ Mins5 Mins30 Secs3 SecsInstant
78 Billion9 Days22 Hours2¼ Hours13 Mins1¼ Mins8 Secs
8200 Billion242 Days24 Days2½ Days348 Mins35 Mins3½ Mins
95.4 Trillion17 Years21 Months63 Days6¼ Days15 Hours1½ Hours
10141 Trillion447 Years45 Years4½ Years163 Days16 Days39¼ Hours
1295 Quadrillion302,603 Years30,260 Years3,026 Years302 Years30 Years3 Years
151.6 Sextillion53 Trillion years532 Million years53 Million years5 Million years531,855 Years53,185 Years
2019.9 Octillion63 Quadrillion years6.3 Quadrillion years631 Trillion years63.1 Trillion years6.3 Trillion years631 Billion years









36 Characters

The full alphabet, either upper or lower case (not both in this case) plus numbers.
Upper Case AlphaA to Z
Lower Case Alphaa to z
Numerals0 to 9
PasswordClass of Attack
LengthCombinationsClass AClass BClass CClass DClass EClass F
21,296InstantInstantInstantInstantInstantInstant
346,6564 SecsInstantInstantInstantInstantInstant
41.6 million2½ Mins16 Seconds1½ SecondsInstantInstantInstant
560.4 million1½ Hours10 Mins1 MinInstantInstantInstant

52 Characters

This time we’re trying the full alphabet but using a mixture of upper and lower case letters, that effectively doubles the number of combinations when compared with just using a single case.
Mixed AlphaEg:AaBb
PasswordClass of Attack
LengthCombinationsClass AClass BClass CClass DClass EClass F
22,704InstantInstantInstantInstantInstantInstant
3140,60814 Secs< 2 SecsInstantInstantInstantInstant
47.3 Million12½ Mins1¼ Mins8 SecsInstantInstantInstant
5380 Million10½ Hours1 Hour6 Minutes38 Secs4 SecsInstant
619 Billion23 Days2¼ Days5½ Hours33 Mins3¼ Mins19 Secs
71 Trillion3¼ Years119 Days12 Days28½ Hours3 Hours17 Mins
853 Trillion169½ Years17 Years1½ Years62 Days6 Days15 Hours
92.7 Quadrillion8,815 Years881 Years88 Years9 Years322 Days32 Days

62 Characters

Mixed upper and lower case alphabetic characters plus numbers.
Mixed Alpha and Numerals0 to 9 & A to za to z
PasswordClass of Attack
LengthCombinationsClass AClass BClass CClass DClass EClass F
23,844InstantInstantInstantInstantInstantInstant
3238,32823 Secs< 3 SecsInstantInstantInstantInstant
415 Million24½ Mins2½ Mins15 Secs< 2 SecsInstantInstant
5916 Million1 Day2½ Hours15¼ Mins1½ Mins9 SecsInstant
657 Billion66 Days6½ Days16 Hours1½ Hours9½ Mins56 Secs
73.5 Trillion11 Years1 Year41 Days4 Days10 Hours58 Mins
8218 Trillion692 Years69¼ Years7 Years253 Days25¼ Days60½ Hours

86 Characters

Mixed upper and lower case alphabet and common symbols.
Mixed Alpha & SymbolsA to Z,a to z,spl characters
PasswordClass of Attack
LengthCombinationsClass AClass BClass CClass DClass EClass F
27,396InstantInstantInstantInstantInstantInstant
82.9 Quadrillion9,488 Years948 Years94 Years57 Years346 Days34 Days

96 Characters

Mixed upper and lower case alphabet plus numbers and common symbols.
Mixed Alpha, Numerals & Symbols0 to 9,A to Z,a to z,all spel charecters
PasswordClass of Attack
LengthCombinationsClass AClass BClass CClass DClass EClass F
29,216InstantInstantInstantInstantInstantInstant
3884,73688½ Secs9 SecsInstantInstantInstantInstant
485 Million2¼ Hours14 Mins1½ Mins8½ SecsInstantInstant
58 Billion9½ Days22½ Hours2¼ Hours13½ Mins1¼ Mins8 Secs
6782 Billion2½ Years90 Days9 Days22 Hours2 Hours13 Mins
775 Trillion238 Years24 Years2½ Years87 Days8½ Days20 Hours
87.2 Quadrillion22,875 Years2,287 Years229 Years23 Years2¼ Years83½ Days

Examples

These are just a couple of examples to show the resilience of certain types of password, using the information in the tables above you will be able to make your own examples.
Sample PasswordsClass of Attack
PwdCombinationsClass AClass BClass CClass DClass EClass F
darren308.9 Million8½ Hours51½ Mins5 Mins30 Secs3 SecsInstant
Land3rz3.5 Trillion11 Years1 Year41 Days4 Days10 Hours58 Mins
B33r&Mug7.2 Quadrillion22,875 Years2,287 Years229 Years23 Years2¼ Years83½ Days

Classes of Attack

These are just some example speeds, I’d be interested to hear from people with more information about the speed taken to crack various types of passwords with various hardware.
A. 10,000 Passwords/sec
Typical for recovery of Microsoft Office passwords on a Pentium 100
B. 100,000 Passwords/sec
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100
C. 1,000,000 Passwords/sec
Typical for recovery of ZIP or ARJ passwords on a Pentium 100
D. 10,000,000 Passwords/sec
Fast PC, Dual Processor PC.
E. 100,000,000 Passwords/sec
Workstation, or multiple PC’s working together.
F. 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.
Distributed.net‘s Project Bovine RC5-64 possibly the fastest computer on earth has recently reached a speed of 76.1 Billion passwords per second!

No comments:

Post a Comment