|
|
|
Prevent your passwords from being hacked
Password is one of the most important entity of the computer security. Passwords (Pass Phrases) which were once only used by armed forces of different countries, are now used by almost every computer user. Password is simply a secret word which only two parties, user and system admin, suppose to know.
Authentication and identification include biometrics, smart cards and some newer forms of technologies which are going through a development phase and will take some time to be implemented, such as Unique Identifier chip on a person’s body as a identifying measure, which for now sounds like a sci-fi.
Personal information is critical to all computer users, and depends upon one’s authentication and identification. This makes your identification and authentication very important. If it is insecure, it jeopardizes one’s privacy of data. More than 90 per cent of security breach instances are result of weaker passwords. It is something every cracker (evil twin of hacker) knows about and which should be avoided by every one for protection in the cyber world.
Weak passwords
Normally, when a person chooses a password, his first priority is that it should be easy to remember. These passwords may include phone number, your name or name of someone you like, a word in dictionary, a word you use more often, etc. These are the weakest of all passwords. Yes, you guessed right, a weak password which can be guessed by any person other than you. These are also called low quality passwords. Most of such passwords are made of words associated with things, names, most frequently used words, etc. For instance, “cooldude”, “lushpush”, “wasimakram”, “wasimsaira”, “lushsaira”, “ilikewasim”, “iluvsaira”, “coolwasim”, “sairapechs”, etc.
Some add a prefix or suffix to the passwords to make them a bit stronger. Others use mix capital and small letters as well as digits and special characters. A hybrid password is the most secure.
Cracking weak passwords
Here are some common attacks against the weak password:
Brute Force attacks: This program helps breaking the weak passwords. It one by one uses all possible combinations for a password. For instance, a password of eight characters can contain small letters (a-z), capital letters (A-Z), and all digits (0-9). It means that each place of the word can contain 62 possible values. Since, its length is restricted to 8 characters, the total combinations of all the words are 268, and all probables are checked by this program, such as “aaaaaaaa”, “aaaaaaab”,”aaaaaaaZ”,”99999999”, etc.
Although it sounds like an absurd of ways for cracking a password, you will be surprise to know that it is the most widely used and effective offline attack against passwords, especially cracking encryption keys. Sometimes it is not computationally feasible to run a brute force attack. For instance, a password of length 25 and a single place can have 256 (28) possibilities, which means the total number of combinations are 2200! This number of combinations are even cumbersome for a supercomputer to compute.
Some attacks have timely significance, such as time bomb encryption. Therefore, successful attack also has to be well-timed. If the encrypted code is cracked after the specified time, it will be an invain effort.
Word-list based attacks: In this technique, each word of the weak password is checked against the bult-in respository of word-list. Multiple sessions (processes) can be initialized to check the password this way. For example, a word-list with 100,000 words can be checked by 10 programs running simultaneously to speed up the process. To find which one of these words matches the password, there are different techniques of generating word-list which makes this possible.
Word-list generators
The different types of word-list generators are mentioned below:
Simple word-list generator: Some or all the possible words actually constitute simple word-lists. The word list can include proper nouns, slang words, abbreviations, etc. The word-list generator can be developed by anyone, or it can also be a software which eliminates meanings from e-dictionary or some paragraph, and automatically writes each word line by line.
Compound word-list generator: It’s each element is actually composed of two or more words. These are used when we are sure that a particular word is either part of password or is password itself. For instance, if you know that the password consists of a word “pechs” as in “pechskarachi”.
Compound word-list generator is made to merge different probable words to create a new word-list.
Rule/grammar based word-list generator: The program follows a rule or a grammar when creating a word-list. It follows a rule assuming that all words should be of length 8-10; the words should contain a string “89”; the words should end with “e”, follows a specific pattern (all small or all caps). Some programs also support formal grammar for word-list generation, in which the expression (X+<).101.(x+<), means < is Null sign, X denotes all capital letters, x stands for all small letters respectively and + stands for OR, . stands for AND.
Hybrid word-list generators: These use all techniques are mentioned above. Let’s say managed to get a glimpse at a friend typing six characters, starting with “VA2” (“VA20A6”), the hybrid will create a word-list with all possible values appended to “VA2”.
Adaptive word-list generators: These learn from previous password to create a word-list. Consider the following passwords “R0bVanDam”, “Th3R0cK”,”B1lLg0LdbErg”. Most people would choose passwords similar to their old ones, yet another observations of social engineering. In these passwords, there are many similarities, in other words they all follow a defined pattern, such as all of them start with capital letter, all have capital letter at 3n+1 position (like 1,4,7 . . .). They all have some digits substituting a character like 3 for e, 0 (zero) for o and 1 for I, etc. The words have length between 7 to 12 (it is not necessary that other passwords by the same person would be in that range). Interesting thing to note is that all passwords are names of wrestlers.
An intelligent program can check and detect these patterns. Although in one case, human intelligence has definite edge over the artificial intelligence of computer and its that the name of wrestlers. It is obviously very difficult for a computer program to guess password if it is mix of more than one wrestlers’s name.
Normally the program, in this case is provided with the names and their interests in a separate file, so that the program may take this factor into consideration. This can also create a problem, as program can get confused (hang or behave abruptly) for multiple entries of a single person. The program’s proper name file should also be updated regularly, unless your program can watch wrestling and pick up the names of new wrestlers by itself.
There is no limit to the intelligence of a system. A system can be made intelligent enough to observe a particular person’s life, his likes and dislikes, preferences hobbies and other things. You may have seen many movies related to this subject, but this is something which is fast becoming reality. I wont further discuss it here, as this is beyond the scope of our discussion.
I am yet to know a program with this capability. But if password lives on, adaptive word-list generators will be a common site.
Breaching security
Brute force and dictionary attacks are useless on a running system. Most of the running systems would block the access from your machine and alert the authorities after several wrong attempts to log on. For example, yahoo would block an IP address for 15 minutes if 25 bad attempts are made. Similarly, secure operating system such as Windows NT technology, and most flavours of Unix, can be configured to block user accounts as well as the IP addresses, for wrong login attempts. This technique is actively exploited by launching a DoS (Denial of Service) attack on a running system. What if yahoo blocks all the IPs for 15 minutes, no service available for 15 minutes, successful DoS. There is nothing in security which we can consider as a perfect solution, the good solutions are actually optimized solutions and certainly not perfect.
Unbreakable passwords
The solid passwords are truly randomized combination of character (both lower and upper), digits and special characters. The password also need to be regularly and randomly changed to keep themselves strong. For example, if your password is “K03sd9#s$” for some time and then you change it to “K04sd9#s&”. Both passwords are very difficult to guess.
Theoretically, we say that first password is more secure than the second, because first one is independent (randomly chosen). Second one is chosen from the previous one (not randomly chosen). An adaptive or grammar based word-list generators can generate word-lists to break this password in computationally feasible time from the first password.
There is a huge drawback with incredibly secure (strong) passwords. The stronger they are, the more difficult they are to remember. A single person may not have this problem, but for an enterprise users, this is a concern that could not be ignored. For balancing those things, a regular but very difficult pattern is sometimes introduced into the password.
Dos and don’ts
Here are few things that can help you balance the strength and the human memory.
• Use both capital letter and small letters
• Use digit and special characters
• Do not use very difficult combinations, unless you are good at remembering
• Try to remember a few random letters, digits etc, like “Sp0l$e”, and include this random this random string in your password. Remember, never ever write some or whole password anywhere.
• Don’t use same passwords for different machines or for different accounts. If you have too many of these accounts and you cant remember separate passwords for them, try minimizing the number of accounts. Optionally, you could use relative passwords here, like “reack01”, “Areack99”, “Breack02”. This will help you in remembering the different passwords, but it will also assist the person who is trying to break in.
• Never feel secure about your password.
• Never choose full or some of portion of password from the things you like or hate the most or the names of entities in your vicinity. For example if you are cricket fan and a computer expert. Don’t choose a cricketer’s name, a celebrity, a tech term, etc, in your password.
The last word for you to remember is that “hackers’ best weapon is persistence and defence’s best strategy is paranoia”.
The writer
|
|
|
|
