itlaw

Definition

A password cracking program is a program that matches words found in the dictionary against the encrypted password file.

Overview

Complex passwords comprised of alphanumeric characters are more difficult to crack. However, even with complex passwords, powerful computers can use brute force to compare all possible combinations of characters until a match is found. Of course, if attackers can create their own passwords in a system, they do not need to guess a legitimate one.

A password-cracking program does not actually "decrypt" the passwords. The CPU time it would take to decrypt even one password would make this approach unfeasible. What a typical cracking utility will do is accept individual words from a "dictionary" (a list of words that could be used as passwords). The program then encrypts the individual words, and the encrypted value is compared to the captured password file. Because many users are known to choose weak passwords, it is not long before an attacker has a list of passwords that can be used to enter the target system.

There are many different cracking programs available, but they typically run through a series of stages:

  1. Try common passwords, such as "password" or the name on the account in question.
  2. Run through all the words in the dictionary and lists of common passwords.
  3. Add numbers to the end or the beginning of these dictionary words.
  4. Run through all the words in foreign dictionaries and special "crack" dictionaries.
  5. Try all combinations of letters out to a certain size, such as 5 letters (brute force method).
  6. Try all combinations of letters, upper/lower case, numbers, and punctuation out to a certain size, such as 3 characters.[1]

References

  1. Assessing Technology, Methods, and Information for Committing and Combating Cyber Crime, at 21-22.

Source

See also