« 'The world's most beautiful maps' | Home | Digital Zen Alarm Clock »

November 17, 2006

How to guess a computer password


Ken Munro, managing director of SecureTest, tells you everything you need to know in an article which appeared in the November 8, 2006 Financial Times; it follows.

    How to guess a password

    Given the number of combinations that can be used for even a simple password, you could be forgiven for thinking that guessing one is virtually impossible.

    It would take 65,780 guesses to guarantee finding the correct moniker for even a basic, five-character, lower-case-only password. A strong password of eight characters including letters, numbers and other characters (!ӣ$% etc) provides a barely calculable number of combinations.

    But beware those that advise you to incorporate substitutions of certain letters with numbers, for example a 3 for an “s” and a 1 for an “i”.

    Far from making your password stronger, this can actually make it weaker, if you are subjected to a hybrid attack. This type of attack will automatically try out these substitutions, sharply increasing the likelihood of success.

    Having said that, cracking both a good username and password concurrently is very difficult. But if you can guess the username, it is often possible to crack the password.

    User names and passwords are often highly predictable because they need to be easily remembered. Our business has lost count of the number of times we have found the username and password to be “test” and “test” or “admin” and “password” when testing a client’s network.

    Lazy password practices can even see some servers, routers, firewalls and DSL modems left with their default passwords. Try Googling “default password list” to see these.

    Finding the username is the key to a successful attack. The attacker systematically tries default passwords, then common username and password combinations, before using a dictionary attack (which entails running through common words). Finally, there is the brute force password attack, which attempts to crack the code much like a safe, bombarding it with different character combinations.

    Companies would be well advised to record attempts to log into their systems, whether over the internet or against the internal network. By logging failure attempts and setting alarms to go off when there have been a certain number, it is possible to detect automated attacks such as brute force.

    When it comes to choosing a user name, most are far too predictable — jdoe, johndoe, doej, etc — and allow an attacker to concentrate just on the password.

    Useful sources of information about company workers and their user names can be gained from Google Groups, where users often make postings, sometimes IT-related. It is simply a matter of searching for the organisation you are interested in. Google is a useful tool for finding passwords: try searching for “inurl:service.pwd”. This will provide a list of usernames and passwords for websites created by Microsoft Frontpage, where the creator has accidentally left the password files readable. Crack the contents of the file and you have the passwords!

    A more sophisticated attack is based on “enumeration” of user names and passwords. Enumeration describes the process of looking for differences in the response from a system or application when submitting valid and invalid user log-ins.

    For example, an application log-in might respond with “invalid password” which suggests the user name is correct. Similarly, “forgotten password” features often only ask for a user name or e-mail address. And whenever bad user names get one response, and valid user names a different response, it allows the attacker to deal with one field at a time: first the user name, then the password.

    Furthermore, while many organisations correctly offer secure (HTTPS) connections – for example, to their e-commerce stores – they forget to disable the insecure (HTTP) connection. If a “phishing” e-mail with a link to the insecure site is clicked on by the end-user, the attacker can see the unencrypted login information, provided they can “sniff” the network traffic.

    But probably the easiest route to finding out user names and passwords is simply to pick up the phone to the organisation’s help desk and ask.

    I am continually amazed by the willingness of help desks to reveal sensitive information without validating the identity of the caller.

    Consider this: when a bank calls, it expects its customer to identify themselves through various questions, but how does the customer validate the identity of the caller? Can they be certain it was the bank calling?

    An unattended, unlocked PC is also vulnerable: it is depressingly easy extracting useful passwords and user names from unlocked PCs.

    Yet preventing password cracking is not difficult. Organisations should ensure that default user names and passwords are removed; that applications do not allow user name enumeration; and that excessive log-on attempts, typified by a brute force attack, alert the IT department.

    Locking accounts for a short period, using “time-outs”, prevents brute force attacks, yet ensures that valid users can get in without significant interruption.

    But a complete lock-out is inadvisable: a malicious attacker who saw that accounts were locked out after a few attempts could script an attack to run known bad passwords against random user names in a cunning Denial of Service (DoS) attack that could leave users completely locked out of systems.


Wasn't that fun?

Want more?


On October 8, 2006 I featured a previous Financial Times column by Munro on password security.

November 17, 2006 at 02:01 PM | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference How to guess a computer password:


Stating that pa3sword is weaker than password is so stupid that the entire article can be dismissed.

Posted by: Lem | Nov 18, 2006 1:49:01 PM

Old car licence plate numbers are good. Most men (and probably quite a few women) can remember their parent's plates from when they were kids. They're alphanumeric and nonsensical (unless you're posh) so quite secure. UK plates, for example, used to have the format ABC123D then moved to Z789WXY and are now AB56DEF.

Posted by: Skipweasel | Nov 17, 2006 5:12:10 PM

This was posted today on the subject of passwords.
In case any one is interested.

Posted by: Justin | Nov 17, 2006 3:51:43 PM

The comments to this entry are closed.