Copy Link
Add to Bookmark
Report
H-Net Magazine Vol 1 Issue 1 File 09
H-NET H-NET H-NET H-NET H-NET H-NET H-NET H
N N
E ** H-Net Magazine ** E
T T
H Volume One, Issue 1, File #09 of 20 H
N N
E How to Crack Those PASSWORDS! E
T T
H-NET H-NET H-NET H-NET H-NET H-NET H-NET H
THE SO-CALLED "UNCRACKABLE" PASSWORD
--------------------------------------
Many people consider the type of password - the so- called random combination
of alpha and numeric characters - to be "uncrackable" because so many billions
of combinations seem possible. A six-character password of this type using
only letters and numerals, could have 2,238,976,116 variations. This type of
password is most frequently used by large data-base vendors. It is assigned
to the user by the vendor, and is often used with systems requiring only one
access level (that is, no second security number) because the password is
believed to be so invulnerable to cracking.
In reality, however, this password format is vulnerable to solution by both
doors and algorithms. In the first case, not all passwords require the presence
of numbers. Passwords may be alphabetic characters only. In some cases pass-
words such as "GUEST" or "IBMCE" may provide a backdoor into the system.
Solution by algorithmcan also be simple because most systems do not use a truly
random method for generating passwords. We know, for example, that MILNET
passwords exclude certain letters and numbers. There are doubtlessly other
rules involved in their construction that we could discover. A study of pass-
words from a given system - we'll use Dow Jones as an example here - can
reveal the patterns that are used to create such "uncrackable" passwords.
Dow Jones passwords are generally 10 characters long. If character assignment
were truly random, we would expect that most of the characters would be alpha-
betic because there are 26 alpha characters compared to only 10 numeric char-
acters. A random system would generate 2.6 alphas for each numeric character.
In fact, however, Dow Jones passwords appear to have only 4 or 5 alphabetic and
have 5 or 6 numeric characters. This is our first clue that the password sel-
ection proccess is not random. Here is a sample of the typical Dow Jones
passwords:
92J62P4BUF
35K4UPK931
59LTAN7521
Patterns are readily discernable:
1) The first two characters are numbers
2) The third character is a letter of the alphabet
3) Each password has at least two numbers that are duplicates.
4) No password has three numbers that are the same
5) Each password has one three-letter combination that includes a vowel
(eg. BUF,UPK,TAN)
6) This alpha-triplet can begin at any character from the fourth to the eighth
position.
7) No password has more than one vowel.
8) Passwords may have either 4 or 5 alphabetic characters.
9) While a password may have two alpha characters that are the same,these
letters do not follow one another,
10) Of the 16 numbers used in the passwords above, none is a zero.
Examination of a large number of passwords would doubtlessly reveal other
"rules" that were used in Dow Jones password selection. Each newly-discovered
"rule" would limit the actual number of available passwords and make the system
that much more subject to cracking by computer.
TAKING THE "RANDOM" OUT OF RANDOM
One of the most notable factors in so-called tables of computerized "random"
numbers is that there are two basic ways of creating them. The first method is
to create a table that will provide what can statistically be said to be a
random list - that is no number or letter would theoretically occur more
frequently than any other number or letter. Most systems, however, simply rely
on an electronic component that creates alledgedly "random" numbers. These
hardware random number generators are usually biased in their number selections
One simple test of a random number generator is called the "coin toss test." A
program is written to simulate the results of a thousand or so coin tosses.
Were the random number generator truly random, heads would appear about as
frequently as tails. In an actual test, however, heads appeared 421 times, and
tails appeared 579 times - a significant bias. A test such as this could be
performed over the entire alphanumeric character list and the component's bias
chartered. Once this information was known, the cracking computer could be
programmed to insert this selection bias into it's own attempts to generate
passwords. This is yet another step that evens the odds between the hacker and
the so-called "uncrackable" password. This testing scheme, requiring either a
component or a computer like the target computer, would be a lengthy process,
but some people might regard the product as worth the time involved in
preparing such an analysis. A strategy of cracking Dow Jones system, given the
rules listed above, would be to create a program with an algorithm that
provided combinations of passwords meeting the criteria above. As each
creation was tested, a pattern might be found in the successful creations that
would make the algorithm even more selective. One would expect, for example,
that simular to the MILNET and ARPANET passwords, certain confusing characters
would be eliminated from passwords. The number, "0" is often eliminated, for
example, because it is easily confused with the letter "O".
===============================================================================
[Hackernet BBS,LEEDS,UK(0532)557739, 24hrs. Home of H-Net Hacking magazine]
