Password checking

Passwords are surprisingly easy to crack, particularly if the person attempting to crack the password has physical access to the system. You might think that matching a password to a dictionary of words might take a long time, but it doesn't.

Tools exist that take dictionaries and apply a set of rules to the words to create a match table that dramatically reduces the time required to break the password by simple brute force matching. Dictionary programs like Crack 5 or Jack the Ripper look for passwords that do things like reverse a word, change cases, replace or insert characters, and so on. L0phtCrack is the most widely used Windows cracking tool.

Given the enormous processing power even individual computers have, the speed with which a password can be broken depends on how strong the password is. If you have a PC that can perform 100,000 encryption operations per second (reasonable for a fast PC) a password composed of only the 26 lower case letters would take the following amount of time on average to crack: 3 letters; 0.18 seconds; 6 letters, 51.5 minutes; 7, 22.3 hours; 8, 24.2 days; 9 characters, 1.72 years, 10, 44.8 years; 11, 11.6 centuries, and 12 letters, 30.3 millennia. It's faster still when you can put a DVD disk with millions of string combinations to use.

When you add digits, casing, and symbols from the ASCII character set these times go up dramatically. A good goal is to find a password that takes 4 years to crack, and you can achieve

    Requires Free Membership to View

this by making sure that a password of 8 characters or more has one of each of these types as in the password "S0s1nsky?" That's why many security conscious programs insist on eight letter passwords, and will often show you how secure a password is in a bar graph. Those ratings are based on the rules measuring the average cracking time (approximately).

As a network administrator you can use password cracking tools to your advantage. When considering a new password, or just to test existing ones you can use something like L0phtCrack to test the password to see how long it takes to crack it. There are several places you can download the program, one is at @stake. @tstake sells an administrator's version of this program that will allow you to test and recover both Windows and Unix account passwords from a precomputed table of trillions of passwords. You can use this tool to recover lost passwords, as well as run risk assessment reports to find and eliminate risky passwords.

Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.

This was first published in September 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.