Password cracking is one of the oldest hacking arts. Every system must store passwords somewhere in order to authenticate users. However, in order to protect these passwords from being stolen, they are encrypted. Password cracking is the art of decrypting the passwords in order to recover them.
This technique is useful for system administrators. By running a password cracking program on their own systems, they will find user accounts with weak passwords. This should be part of regular system maintainance.
The 'crack' utility runs through combinations of passwords until it finds the right ones. There are different programs, but they typically run through a series of stages:
- try common passwords, such as "password" or the name of the account in question
- run through all the words in the dictionary and lists of common passwords.
- run through all the words in foreign dictionaries and special "crack" dictionaries.
- try all combinations of letters out to a certain size, such as 5 letters.
- try all combinations of letters, upper/lower case, numbers, and punctuation out to a certain size, such as 3 characters
The difficulty in running the password cracking utility is that it takes a long, long time. The problem size grows "exponentially". If we consider passwords that just use letters of the alphabet, this is the size of the problem:
- 1 letter
- 26 tries
- 2 letters
- 26 x 26 = 676 tries
- 3 letters
- 26 x 26 x 26 = 17 thousand tries
- 4 letters
- 456 thousand tries
- 5 letters
- 11 million tries
- 6 letters
- 308 million tries
- 7 letters
- 8 billion tries
- 8 letters
- 208 billion tries
These numbers show that even even a supercomputer cannot crack a sufficiently large password. However, most people choose weak passwords that can easily be guessed. Therefore, the "holy grail" of hacking is to obtain the password file and run it through a crack program.
The password file on UNIX is stored in the file /etc/passwd. The password file on Windows NT is stored in %systemroot%/system32/config/SAM
Shadowing the password file on UNIX helps stop this attack. This means that some other password only available to the administrator is stored in a protected location, but a pseudo-password file is stored in /etc/passwd for programs that need account information.
