1 Figure 2-2: Server Password Cracking: Reusable Passwords A password you use repeatedly to get access to a resource on multiple occasions Bad because attacker will have time to learn it; then can use it Difficulty of Cracking Passwords by Guessing Remotely Usually cut off after a few attempts
Figure 2-2: Server Password Cracking:. Reusable Passwords A password you use repeatedly to get access to a resource on multiple occasions Bad because attacker will have time to learn it; then can use it Difficulty of Cracking Passwords by Guessing Remotely Usually cut off after a few attempts. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Figure 2-2: Server Password Cracking:
Reusable Passwords
A password you use repeatedly to get access to a resource on multiple occasions
Bad because attacker will have time to learn it; then can use it
Difficulty of Cracking Passwords by Guessing Remotely
Usually cut off after a few attempts
2
Figure 2-2: Server Password Cracking
Hacking Root
Super accounts (can take any action in any directory)
Hacking root in UNIX
Super accounts in Windows (administrator) and NetWare (supervisor)
Hacking root is rare; usually can only hack an ordinary user account
May be able to elevate the privileges of the user account to take root action
Try all possible character combinations Longer passwords take longer to crack Using more characters also takes longer
Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)
Slow with passwords of reasonable length
4
Figure 2-2: Password Length
PasswordLength In
Characters
1
2 (N2)
4 (N4)
6
8
10
Alphanumeric:Letters &
Digits (N=62)
62
3,844
14,776,336
56,800,235,584
2.1834E+14
8.39299E+17
All KeyboardCharacters
(N=~80)
80
6,400
40,960,000
2.62144E+11
1.67772E+15
1.07374E+19
Alphabetic,Case
(N=52)
52
2,704
7,311,616
19,770,609,664
5.34597E+13
1.44555E+17
Alphabetic,No
Case (N=26)
26
676
456,976
308,915,776
2.08827E+11
1.41167E+14
5
Figure 2-2: Server Password Cracking Physical Access Password Cracking
Dictionary attacks Try common words There are only a few thousand of these Very rapidly cracked
Hybrid attacks Common word with single digit at end, etc.
l0phtcrack
Lower-case L, zero, phtcrack
Password cracking program
Run on a server (need physical access)
Or copy password file and run l0phtcrack on another machine.
6
Figure 2-2: Server Password Cracking Password Policies
Good passwords At least 8 characters long
Change of case not at beginning
Digit (0 through 9) not at end
Other keyboard character not at end
Example: triV6#ial
Testing and enforcing password policies
Run password cracking program against own servers (Caution: requires approval! SysAdmins have been fired for doing this without permission—and should be)
Password duration policies: How often passwords must be changed