Skip to main content

Password Cracking.


When we are thinking about the security the main thing which is coming to our minds is “Password”. Because, to securing the data/information digitally we have need to go for the password protection instead of encryption. Password is protecting the identity of an individual or group of people (organization). Generally password is considering as the 1st defensive mechanism to protect the resources from the hackers. If we move on to a social media or online money transaction or emails something which are containing our information digitally they all are requiring password to move inside. So, password is challenging the hackers to gain the access. But when it’s come to cyber everything can be possible. According to that, this article containing the way to crack the password. 

Guessing :

Many users are having the mindset of “easy to remember” instead of considering the security importance when creating the password (e.g. user login). If that password is easy to remember by the user, then it is easy for the hacker to guess the password. Some following ideas given below are the general ideas of guessing the password of many un-knowledge users.
·         The word “password” is use for the password.
·      Password is same as the user name. E.g. Router configuration Username: admin and Password: admin (username and password are same).
·         Name of the user as the password.
·         User’s birthday or birth places. (Birthdays & birth places – can be his/her relatives)
·         Names of relatives
·         Pets name
·         Favorite things such as books, sentence, places, etc.
This guessing method is more efficient method to crack the password without using automated programs.

Note:If its works and able to find the password, we can suggest that this kind user’s password is same for the other protecting areas too (he won’t use multiple passwords).

Dictionary Attacks:

By looking at the term we can understand it’s meaning, by using dictionary we are finding the password of the user. But this dictionary is not like the normal dictionary. It can be a program of containing the listed words which are suggested by the password crackers. These suggested words may contain numbers and symbols at the end of the word or at the beginning. Password cracker can collect the words from the user’s personal information (e.g. nick name) and they might be not a proper word too. For this method the hacker/password crackers need to compare 100 or 1 million possibilities.
By this method we can access the password of the users who are using ordinary and common passwords (e.g. 123abc).

Note: When considering different language the words can be different, so this method is very hard to guess the password. User might use a word that is not in the dictionary or make use of two words in the password are also making this method hard to find the password. 

Brute Force:

This method is successful for the short passwords. In this method we are checking the combinations of the words (letters + symbols) for a password systematically. By checking the combinations systematically this method is consider as time consuming approach. But unfortunately it is infeasible to try for the long passwords. Just imagine we are guessing a 7 character password which is only containing alphabets (capital or lower case) letters, then we have need to check for the combination of 26 to the power 7 (267) and it will be 8031810176 guesses. Funniest thing in this mechanism is, this is an infallible method to find the password but whether you can’t assure that you will be alive when it finally guesses.

Note: Hacker/password cracker need to know the size of the password before guess the combinations (e.g. ATM cards are having 4 digits for their pin numbers).

These are some methods uses generally and easily by everyone. There are some more methods such as rainbow table, benchmarking and salt to crack the passwords.

Bruce Schneier an American cryptographer mentioned 20 most password that are using by the general users, they are “password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball, football, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey”. These common passwords founded nearly 5% of the stolen passwords by the password crackers. We can assume the user’s creativity towards the passwords by observing such kind of the common password.  But keep in mind that most of the user’s passwords are always include real words or some sort of real words because they are using the passwords which they can easily remember what I said before.




©IT Today

Comments

Post a Comment

Popular posts from this blog

How OIDC run on top of OAuth - Demo by a maven web application

As I said in the previous blog about OIDC, OIDC is running on top of OAuth in-order to provide authentication and authorization. When it comes to real scenario, we have need to clearly understand the flows between authorization server, and resource server. For OAuth it needs token introspection endpoint in-order to validate the token. But, in OIDC it doesn't need to have this introspection endpoint because OIDC response token (JWT) it contains the idtoken which contains information about the token to validate by the resource server. OIDC is running as authorization grant type is pretty much safe way for the web applications. Let's see how a real world application using this OIDC on top of OAuth. Note: I have created an sample application to provide the graphical interface for this explanation. When you are trying to login a online web application account you may see another login options also available. For example, login with Google, login with Facebook,etc. Those ...
Post a Comment
Read more

Bandit Wargame – Documentation

Basically wargames are providing the basic knowledge on the security concepts. It is a game that contain many tricks to break the borders to gain the access especially passwords (commands are mostly on the Linux CLI). You can find many wargames through the Internet and they are very interest and fun full too. “Bandit” is also a wargame which is for the beginners. You all can access that through the link given bellow. And this article is an document for this game. I have used Ubuntu as the operating system. Bandit – Clickhere . Level 0: Case study → Clickhere Here we have need to connect the host through the SSH (secure socket shell) server. The informations are provided as follows. Host name: bandit.labs.overthewire.org Port No: 2220 User name: bandit0 Password: bandti0 There are many ways to connect through the SSH server. Method 1: Download and run the “PuTTY SSH client”. ( https://the.earth.li/~...
Post a Comment
Read more

Introduction to OAuth

What is OAuth? OAuth is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. OAuth needs to consider the 2 concept to provide the informations in secure and reliable manner. They are authentication and authorization. Authentication -> Validating the person/system who need the information Authorization -> After authentication what action can be performed by the person/system. By maintaining this 2 concept OAuth is providing federated identity and delegated identity. Federated identity -> User can use his/her one application account to login another application. [Example: If a user having Facebook account then he can login Instagram with the same login as Facebook] Delegated identity -> One service can access another service resources. [Example: When creating a Facebook account with eMail address that will suggest the contacts in the eMail to add as friends] Without OAuth With OAuth User ...
Post a Comment
Read more