zoneH- high-tech password-cracking methods
Password-cracking utilities take a set of known passwords and run them through a password-hashing algorithm
. The resulting hashes – or an encrypted form of a data set – are then compared at lightning speed to the password hashes extracted from the original password database. When a match is found between the newly generated hash and the hash in the original database, the password has been cracked. It’s that simple.
Two high-tech password-cracking methods are dictionary attacks
and brute-force attacks.Dictionary attacks
Dictionary attacks against passwords quickly compare a set of words – including many common passwords – against a password database. This database is a text file with thousands of words typically listed in alphabetical order
. For instance, suppose that you have a dictionary file that you downloaded from one of the sites in the following list. The English dictionary file at the Purdue site contains one word per line starting with 10th, 1st…..all the way to zucchini and zyogate.
Many password-cracking utilities can use a separate dictionary that you create or download from the Internet
. Here are some popular sites that house dictionary files and other miscellaneous word lists:ftp://ftp.cerias.purdue.edu/pub/dictftp://ftp.ox.ac.uk/pub/wordlistspacketstormsecurity.nl/crackers/wordlistswww.outpost9.com/files/WordLists/html
Most dictionary attacks are good for weak (easily guessed) passwords
. However, some special dictionaries
have common misspellings of words such as pa$$w0rd (password) and 5ecur1ty (security), non-English words, and thematic words from religions, politics, or Star Trek.Brute-force attacks
Brute-force attacks can crack any password, given sufficient time
. Brute-force attacks try every combination of numbers, letters, and special characters until the password is discovered
. Many password-cracking utilities let you specify such testing criteria as the characters and password length to try.
A brute-force test can take quite a while, depending on the number of accounts, their associated password complexities, and the speed of the computer that’s running the cracking software.