Passwords are surprisingly easy to crack, particularly if the person attempting to crack the password has physical
access to the system. You might think that matching a password to a dictionary of words might take a long time, but it doesn't.
Tools exist that take dictionaries and apply a set of rules to the words to create a match table that dramatically reduces the time required to break the password by simple brute force matching. Dictionary programs like Crack 5 or Jack the Ripper look for passwords that do things like reverse a word, change cases, replace or insert characters, and so on. L0phtCrack is the most widely used Windows cracking tool.
Given the enormous processing power even individual computers have, the speed with which a password can be broken depends on how strong the password is. If you have a PC that can perform 100,000 encryption operations per second (reasonable for a fast PC) a password composed of only the 26 lower case letters would take the following amount of time on average to crack: 3 letters; 0.18 seconds; 6 letters, 51.5 minutes; 7, 22.3 hours; 8, 24.2 days; 9 characters, 1.72 years, 10, 44.8 years; 11, 11.6 centuries, and 12 letters, 30.3 millennia. It's faster still when you can put a DVD disk with millions of string combinations to use.
When you add digits, casing, and symbols from the ASCII character set these times go up dramatically. A good goal is to find a password that takes 4 years to crack, and you can achieve this by making sure that a password of 8 characters or more has one of each of these types as in the password "S0s1nsky?" That's why many security conscious programs insist on eight letter passwords, and will often show you how secure a password is in a bar graph. Those ratings are based on the rules measuring the average cracking time (approximately).
As a network administrator you can use password cracking tools to your advantage. When considering a new password, or just to test existing ones you can use something like L0phtCrack to test the password to see how long it takes to crack it. There are several places you can download the program, one is at @stake. @tstake sells an administrator's version of this program that will allow you to test and recover both Windows and Unix account passwords from a precomputed table of trillions of passwords. You can use this tool to recover lost passwords, as well as run risk assessment reports to find and eliminate risky passwords.
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.