« Counterfeit Detector Pen | Home | A Beretta that doesn't require a license »

October 8, 2006

'How to crack (almost) any password in less than two minutes'


My headline is the headline over Ken Munro's "Security Matters" piece in the paper version of this weekend's Financial Times.

Long story short: use the pound (£, not #) sign.

Read it and weep — but first, if there are no cannoli, take the candy bar.

    Security Matters: Passwords

    Passwords are a fine example of how human frailty can be the weakest part of any secure system. Their very nature makes them problematic.

    A good password is long and complex – and hard to remember; weak ones are next to useless. They are also expensive to manage. One of the most requested helpdesk services is resetting a password.

    We know that the strongest passwords contain non-alphanumeric characters or symbols, are sufficiently long, and do not contain dictionary words. But some non-alphanumerics are a whole lot better than others.

    Password cracking can be likened an evolutionary battle. Better encryption means passwords can be stronger. But with more powerful processing it is possible to crack the “new” stronger password. However, there is a simple way of defeating some password crackers.

    Passwords are encrypted by the operating system to prevent theft. The encryption process produces a “hash”. Rather than comparing the log-on to a database of words (known as a “dictionary” or “brute force” attack), an attacker can speed things up by using pre-computed hash tables, such as rainbow tables. These tables contain the “hash values” for virtually every possible password, making the cracking of the password a simple process.

    For example, it is possible to compute most Microsoft LAN Manager (LM) hashes. This is one of the formats that Windows uses to store passwords up to 14 characters long. The result is that virtually any hash can be cracked in a couple of minutes. There are failures but only very few.

    So how do those few avoid being cracked?

    The reason is that most of the widely used password crackers and pre-computed password tables are coded in the US, mostly using US-language character sets.

    One way for users outside the US to make use of this quirk is to use passwords that include characters not available on US keyboards. There are a few options including the “£” and “€” signs. We have tried this successfully as a defence against several password crackers. Even a single character password (the £) beats them.

    It is a small matter to include a £ sign in your passwords, but it has been overlooked by attackers for a long time. To the best of our knowledge there is no publicly available rainbow table that includes the £, although we are aware of some being computed.

    A standard US-language alphanumeric character set contains 62 characters. Include US-keyboard non-alphanumerics, and there are 104. Include the ”Latin-1” character set from ISO 8859-1, which covers most western languages, and the priceless £ sign, and we get 191 characters. This makes brute forcing passwords and pre-computing the hashes an arduous task as the level of password complexity has grown exponentially.

    Improving password security can be achieved by removing LM hashes. LM is weak because if the password is longer than seven characters two hashes are created, which means that each half of the password can be attacked separately.

    NTLM, a Microsoft authentication protocol, is better. It uses the user’s domain or local system credentials to authenticate them.

    NTLM is based on stronger encryption and avoids splitting the password into two parts for encryption.

    Single Sign On (single authentication giving access to multiple applications) is often touted as the best solution, and it can work well, but if the SSO server is breached, everything it controls access to could be compromised in one hit.

    Yet another option is to use security tokens (authentication devices such as smart cards or key fobs) – though these should not be seen as substitutes for passwords.

    In the end, like many security issues, it boils down to risk. Is what you are trying to protect actually worth so much investment, and, if it is, can your people be trusted to remember how to get in?


Ken Munro is managing director of SecureTest (www.securetest.com)

October 8, 2006 at 02:01 PM | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference 'How to crack (almost) any password in less than two minutes':


my password is 'billabong' - can you please find out if my husband has found that out? here is my email address so you can let me know - dumbasafrigginbrick@aol.com

Posted by: Dipsy | Nov 13, 2008 9:02:04 PM

How can I make sure my girl friend or my wife doesn't get my password, if I have a US computer?

Posted by: Tony | Nov 13, 2008 6:55:56 PM

Hi, my boyfriend is being sneaky with his my space page. I gave him my pwd, but he won't give me his. Can you help me crack it?

Posted by: Dawn | Sep 10, 2008 11:53:36 PM

hi ! what u can tell me about ,, Cain and Abel ,, ? pls!

Posted by: valy | Sep 6, 2008 2:00:32 PM

i think my boyfriend is still seein his ugly ex. can u help me figure out his password

Posted by: ainsley | Jul 18, 2008 10:49:24 PM

Want good passwords? Go to https://www.grc.com/passwords.htm

Cut and paste three or four chunks out of original passwords.

My laptop has a 13 character PW to login - my wireless nets (home and office) are 50 characters.

Backup? On one USB 256k drive - on my car/home keychain with a backup as phone numbers on my PDA.

These are great PGP passwords, too.

Posted by: 6.02*10^23 | Aug 5, 2007 11:44:49 PM

I was wonder if you help with getting passwords or do you charge?

Posted by: Heather | Aug 5, 2007 1:30:03 PM

I really need to know my boyfriends password i think that he is cheating on me please i need your help

Posted by: merrilin | Oct 14, 2006 1:48:46 PM

i want to know the email password of my wife. she i cheating on me


plse do help me

Posted by: sanjen | Oct 11, 2006 2:38:21 AM

The comments to this entry are closed.