Monday, December 22, 2008


I want to try and bridge a gap here, so to speak. I feel as someone interested in education, I should attempt to educate in some ways by communicating the things I know and learn in a simple language, and try to make uninteresting things sound interesting by highlighting their importance and pertinence to the layman's life.

So let's talk about passwords.

I have two goals with this post:

1) To explain the technologies used by password-cracking software.
2) To demonstrate the insanely-high speed that modern computers can operate.

Part I) The Explanation

Everybody uses them, and many people have some understanding of how the work. A lot of work has been done trying to educate the public about how to have secure passwords, and yet a lot of people still choose very poor ones. I think that there is still a lack of understanding among the general public about how passwords get broken. It is my goal in this post to explicate password-cracking in an effort to enlighten the public and exterminate the risk of my friends getting hacked.

IT professionals and just general geeks like me know about these things and want to hear about hashes, salts and rainbow tables. If you do not have a clue what I am talking about, then this post is for you. I am going to ignore those for this post and focus on generalities.

Basically, there are two methods to cracking passwords:

1) Wordlist
2) Brute Force

While these techniques have been around for as long as I have, the big change over time has been computer speed. Moore's law dictates that computing power doubles every other year, which means that a password that might have taken 24 hours to break in 1998 can probably be broken now in about 45 minutes, without even changing the techniques used.

Method #1: Wordlists

Ever sat down at a friends computer and tried to guess their password? Maybe it's the name of their dog! No wait, the name of their cat! This is, in essence, the methodology used here. Of course, a computer can guess passwords a hell of a lot faster than you can. Essentially, the software is fed a "list" of words to try, and it tries them all, one by one, until it gets it right. This list might be a concise list of popular passwords, or it might be a list of every word in the dictionary.

Method #2: Brute Force

Ever thought about how long it would take to guess your PIN in case you forgot it? First you would try 0000, then 0001, then 0002, etc. and eventually you would get to your PIN. This is brute force. It literally means trying every combination possible until you get one right. Of course, if you were actually trying to guess a PIN, you wouldn't start at 0000 would you? Who has a PIN of 00XX? A smarter way would be to start in the middle, and work your way out. Modern day cracking software works in about the same fashion. It will try every possible combination, but it does so in an intelligent order to reduce the time it will likely take.

Part II) The Demonstration

The fact is, it might shock you to learn how fast these programs can work. It shocked me. One of the most popular, renowned, and oldest software-cracking tools available is called "John the Ripper." I downloaded John and put it to work on my own machine so that I could test it out a bit. I have read most of the documentation and obtained knowledge on how it functions, and I intend to explain that here, as best as I can.

I made a bunch of fake windows accounts to test some passwords. I made 3 to start, with what I figured were weak, medium, and strong passwords.

My weak password was "apple." I guessed this would take a couple seconds to break.

My medium password is a password we use at work that involves a word and one number.

My strong password is a password that I personally have used for about 8 years, that involves letters and numbers in a way that does not resemble any sort of word.

I sic'd John on these computers and barely even left the enter key when it responded with answers to the first two. John only gives granularity down to seconds, so I can't even say the exact speed it took other than it was not even one second. Literally, my "medium" password that we use at work took less than a second to crack. I was pretty amazed.

I was even more amazed when it cracked my "strong" password just 2 hours later.

It was at this point I had to learn more and started looking more deeply into how JtR operates. Luckily, it is a very open and well-documented software with a lot of options and configuration files. I was able to learn what I needed very quickly.

John has three different "modes." By default it tries all three in order, but it contains options to only try each one individually.

Mode 1: Single mode

Basically, this is where it uses a wordlist of just one word, but tries many variations of that word. It calls these variations "mangles." There are a LOT of mangles that it tries on that word, everything from "replace every o with a 0" to "try the word backwards" to "reverse the word and capitalize every other character." What is the word that it is trying? The username.

For example, suppose your username is "admin." this mode will try "admin," "nimda," "admin1," "adm1n," etc. and a whole lot more. A LOT more. So if you think you're being cute by using a backwards-username as a password, you're not. Any variation that you can think of, JtR probably also tries. So don't use any mangle of your username as your password.

Mode 2: Wordlist mode

This is probably the most efficient and effective. JtR comes with a list of 3,706 common passwords and tries them all one-by-one. It also has the option to try "mangles" as above. However, because it is trying thousands of words instead of just one, the default amount of mangles it tries is far less. With that said, JtR is extensible so any user can add more mangles to the list with ease.

Here is a link to the wordlist that JtR comes with:


The first thing it does is try every word on that list, a process which takes less than a second. After that, it goes through the list again, trying every word in lowercase. Then, every word in uppercase. All told, there are 26 different mangles that are tried by default. I will not list them all here for fear of tedium, but I will post a link.

Let me put it bluntly: If your "password" is a word in the dictionary, you are vulnerable. Adding a number (e.g. "apple1" instead of "apple") will not help. A computer can break it in seconds (or less.)

I wanted to really underscore the performance aspect involved here, so I did some testing. First of all, I built my own wordlist. Well, not really. I found a wordlist that is supplied for spell-checking programs like the one in MS word. This list is essentially every word in the dictionary. I then added another list which contains a bunch of popular abbreviations. Then another list that contains a bunch of "slang" words and such and popular misspellings. All told, my list had 86,542 words in it to try.

I ran JtR using the custom wordlist (no mangling), and it completed in less than a second. Slightly annoyed, I tried to slow it down by enabling the mangling options. Remember, it is trying every word in a list that is 86,542 words long, then going back to the top and trying every word backwards, and so on. There are 26 mangle options which means there are 86,542 X 26 = 2,250,092 different passwords to try.

How long did JtR take to try over 2 million different passwords? One second. One measly second. Barely detectable, really. And this is while I was running another JtR session in the background, along with about 40 other things (bitTorrent, MSN, Avast!, Skype, etc.) And this is on my computer, which is hardly a supercomputer.

However, none of the 2M+ passwords matched the new ones I had put into my password file, so I moved on to the next technique...

Mode 3: Incremental mode

This essentially means Brute Force. This mode absolutely guarantees that it will crack any password ... eventually. Depending on the length of the password and size of the pool it could take seconds or years.

It's all about probability. If you have a password that must be exactly 8 characters, and you are limited to only using letters, and case doesn't matter (m = M,) then there are 268 = 208,827,064,576 different combinations.

Like all numbers, this one requires context. Two-hunded-and-eight billion is sure a large number. Far bigger than the measly 2 million I tried in my previous demonstration. There are, however, some things to keep in mind:

1) It will not be necessary to try all combinations, only the amount it takes until it gets the right one.

2) The password cracker will not, likely, do "brute force" as we would intrinsically think of it. That is, it has an intelligent order with which it tries passwords. This will decrease the time it takes to get your password.

3) Computers are fast. To test, I configured my computer to try every alpha password up to 7 chars in length, case insensitive. The amount of passwords to try here are:

267 + 266 + ... + 261 = 8,353,082,582. It ran through this exercise in about 50 minutes, or 3,000 seconds. This means it was able to try around 2.7 million passwords per second.

Do the math. With 208 billion possible combinations and 2.7 million combinations tried every second, my computer can test every possible combination of an 8-digit letters-only password in about 21 hours. Chances are, it will get to yours overnight.

4) Computers are always getting faster. Now, my computer can get every combination in 21 hours. In two years, it will be able to do it in 10 hours. By 2014, It will be able to do it in 2 hours.

There was a time where 8-digit passwords were sufficient. When JtR first came out, it was maxed at about one thousand combos per second. But that ship has sailed, and it seems like too many consumers are left on the beach.

Part III) The Advice

So how do you improve your password?

1) Length. The beauty of exponents is that adding one digit to your password can make a world of difference. By extending your password to 9 characters instead of 8, you would add 5,429,503,678,976 (5.4 trillion) more combinations! I mentioned before that my computer can try all combinations of an 8-character letters-only password in 21 hours. Guess what? To try all combinations of a 9-character letters-only password would take 23 days. Ten characters? Six-hundred-and-five days. Hooray for exponents!

The problem, of course, is that people find longer passwords harder to remember.

Well, a big problem is that people still use the word "password." "Password," really, is a bit of a misnomer. There is no reason your password needs to be a word. It can be a phrase. A good one to use would be a song lyric or even a title. Is it really hard to remember/type "StairwayToHeaven" ? Such a password is not all that secure, but it's 10 times better than "heaven" or any other word. Since this password is 16 chars long, a brute force attack would mean trying 2616 different combinations to get all of them, and 5216 combinations if it's case sensitive.

5216 = 2,857,942,574,656,970,690,381,479,936.

Of course, it will be able to crack it far faster, because of other factors that I won't get into to keep this post simple. Which means you need...

2) Numbers. But don't put "1" at the end. Suppose your favorite number is 9 and song is Stairway. Why not: "Stairway9To9Heaven"? Is that hard to remember? This would leave your password impervius to the wordlist attack and now a Brute Force attack would have to be programmed to run 6218 different combinations.

3) Symbols. Much like numbers, you can usually put symbols into words just as easily. What I usually do is think of a number and then use whatever symbols correspond to that number. In the above example we used the number 9. If you SHIFT+9, you get "(." So our password becomes: "Stairway(To(Heaven." Now we're talking about 8516 different combinations.

So that's my primer, so to speak, on passwords. Please choose your passwords carefully, and keep the things you learned today in mind!

No comments: