Blue Bubble
Sharper than a thorn
No, it could not have been VMS. That's never been the way VMS checks passwords.
And, yes, I am very familiar with VMS internals - that's my job, and has been for the last 27 years.
Last edited:
How is a computer pasword cracked?
- Thread starter Elf Grinder 3000
- Start date
No, it could not have been VMS. That's never been the way VMS checks passwords.
And, yes, I am very familiar with VMS internals - that's my job, and has been for the last 27 years.
Easiest way:
Ask the person for their password. My organization has something like 80,000 active users at any given time. Many, many times per month (as in, millions of times per month) we get hit with phishing spam asking people to email their passwords; for every 10,000 or so that make it through the filters into people's email, maybe 2 or 3 people dutifully - and stupidly - supply their email password to the spammers. We know this because typically within 24 hours the account is being used to send spam through our mail servers, which gets detected automatically & stopped.
Less easy way:
Get a keylogger installed on the client machine and wait for them to type the password in to some website, application, what have you, retrieve the logs, find the passwords & use them. This is the method most often used by people looking for passwords to online games such as World of Warcraft or to online banking sites. This can be thwarted with a 2-tier authentication system like passwords & tokens, provided the keylogger isn't reading the input in realtime (some can.)
Less easy still:
Bombard the server/website/whatever with authentication attempts using either a list of likely account names or a known account name, and a series of passwords based on dictionary words (hence the name "dictionary attack.") A properly secured system isn't terribly vulnerable to this method since it will block addresses and/or lock accounts after some number of failed login attempts, but improperly secured systems abound.
Other methods exist, including the rainbow table lookup referenced earlier, but are even less easy that what I'd consider to be the big three above.
Ask the person for their password. My organization has something like 80,000 active users at any given time. Many, many times per month (as in, millions of times per month) we get hit with phishing spam asking people to email their passwords; for every 10,000 or so that make it through the filters into people's email, maybe 2 or 3 people dutifully - and stupidly - supply their email password to the spammers. We know this because typically within 24 hours the account is being used to send spam through our mail servers, which gets detected automatically & stopped.
Less easy way:
Get a keylogger installed on the client machine and wait for them to type the password in to some website, application, what have you, retrieve the logs, find the passwords & use them. This is the method most often used by people looking for passwords to online games such as World of Warcraft or to online banking sites. This can be thwarted with a 2-tier authentication system like passwords & tokens, provided the keylogger isn't reading the input in realtime (some can.)
Less easy still:
Bombard the server/website/whatever with authentication attempts using either a list of likely account names or a known account name, and a series of passwords based on dictionary words (hence the name "dictionary attack.") A properly secured system isn't terribly vulnerable to this method since it will block addresses and/or lock accounts after some number of failed login attempts, but improperly secured systems abound.
Other methods exist, including the rainbow table lookup referenced earlier, but are even less easy that what I'd consider to be the big three above.
Last edited:
Cainkane1
Philosopher
I read once where a mans computer was confiscated because the police suspected he had child porn on it. Apparently the portion of his computer with the alledged porn was protected by a very well executed password. He refused to give them the password using the fifth amendment. I don't know how this turned out. The police said they were going to get help cracking the password but like I said I have no idea how this turned out.
Little 10 Toes
Master Poster
Read in a book where a hacker stole the encrypted password list. System Admin thought the hacker was "teh dumz", but figured out that the hacker either stole or had access to the encryption process. (Can't remember if the program was well documented or free or source code available or what, but I think there was a exploitable flaw in it). System Admin then realized hacker was going to password-encrypt a dictionary and then compare the password file with the dictionary file to see if anyone is using standard words.
portlandatheist
Illuminator
- Joined
- Jun 9, 2007
- Messages
- 3,725
Just a note:
There is a difference between passwords that are encrypted via a two-way algorithm and a password that goes through a one way hashing algorithm such as MD5 or SHA.
For example, the hash of the string "foo" is "acbd18db4cc2f85cedef654fccc4a4d8"
Attempting to get foo from that string, without using a dictionary, would take a lot more computer power than a password that has been encrypted using a two-way algorithm.
An easy way to avoid a brute force attack that uses a lookup table, is to salt the password:
$salt="foo";
$hash_to_be_stored_in_db m = MD5($password . $salt)
There is a difference between passwords that are encrypted via a two-way algorithm and a password that goes through a one way hashing algorithm such as MD5 or SHA.
For example, the hash of the string "foo" is "acbd18db4cc2f85cedef654fccc4a4d8"
Attempting to get foo from that string, without using a dictionary, would take a lot more computer power than a password that has been encrypted using a two-way algorithm.
An easy way to avoid a brute force attack that uses a lookup table, is to salt the password:
$salt="foo";
$hash_to_be_stored_in_db m = MD5($password . $salt)
Segnosaur
Penultimate Amazing
The only time I've ever had a computer account 'broken in' to....
This was back in high school, early 1980s. For most of my educational career, we had been using Commodore PET computers, using tape drives and Commodore BASIC.
In my second last year in high school, we had gotten a new set of ICON computers. These were Unix workstations, networked to a common server. Our teachers at the time weren't used to dealing with this type of technology. Still, they had set up accounts for us, and asked us to create a password, and tell them what it was. (I guess they didn't understand what the 'root' account was at the time...)
In our first programming assignment on the new computers, we had to write a simple program in C. (Our teachers at the time didn't know the language, so there was a lot of stumbling and guess-work.) After a lot of trial and error, I got my program working.
Next day, I went to log in, and found out that all of my source code was gone. Instead, the file consisted of just my password, in the middle of the screen. Initially, I thought it was some sort of technical glitch.
Later, one of the other students jokenly commented to me about how he broke in to my account and erased my source code. How did he break in? The teacher had left the list of passwords out on his desk....
The moral of the story? The weakest part of any security system is likely going to be the meatware (i.e. the humans).
Some basic rules for breaking passwords using brute force:
- Use every word in the dictionary
- Use every word in the dictionary with the first letter capitalized
- Use every word in the dictionary with a '1' at the end
- Use every word in the dictionary with the letters reversed
This was back in high school, early 1980s. For most of my educational career, we had been using Commodore PET computers, using tape drives and Commodore BASIC.
In my second last year in high school, we had gotten a new set of ICON computers. These were Unix workstations, networked to a common server. Our teachers at the time weren't used to dealing with this type of technology. Still, they had set up accounts for us, and asked us to create a password, and tell them what it was. (I guess they didn't understand what the 'root' account was at the time...)
In our first programming assignment on the new computers, we had to write a simple program in C. (Our teachers at the time didn't know the language, so there was a lot of stumbling and guess-work.) After a lot of trial and error, I got my program working.
Next day, I went to log in, and found out that all of my source code was gone. Instead, the file consisted of just my password, in the middle of the screen. Initially, I thought it was some sort of technical glitch.
Later, one of the other students jokenly commented to me about how he broke in to my account and erased my source code. How did he break in? The teacher had left the list of passwords out on his desk....
The moral of the story? The weakest part of any security system is likely going to be the meatware (i.e. the humans).
Some basic rules for breaking passwords using brute force:
- Use every word in the dictionary
- Use every word in the dictionary with the first letter capitalized
- Use every word in the dictionary with a '1' at the end
- Use every word in the dictionary with the letters reversed
blutoski
Penultimate Amazing
- Joined
- Jan 10, 2006
- Messages
- 12,454
'crypt'
the process converts a password into a number value, which is stored; different passwords will convert to the same number value, which means that there can be more than one password that will be accepted as a match;
Ian Osborne
JREF Kid
- Joined
- Aug 4, 2001
- Messages
- 8,957
Those interested in this subject should be sure to read The Cuckoo's Egg by Clifford Stoll. It's an epic tale of how he traced and caught a German hacking group plundering American military and university computers and selling secrets to the Russians.
Blue Bubble
Sharper than a thorn
Indeed, an interesting period of my history. I feature in the book
I was the whistle-blower.
Segnosaur
Penultimate Amazing
For anyone who's too lazy to read (or doesn't know how), the Cuckoo's egg was later used as the basis of a NOVA program. I have a very old video tape copy of it (although you may be able to find copies availabe for download...)
Wudang
BOFH
Seconded. This includes someone copying the password file for a dictionary attack.
It was the first episode of the TV show "Science Fiction" - dramatized accounts of real world science often with the real guy playing himself. As Cliff did.
Modified
Philosopher
- Joined
- Sep 13, 2006
- Messages
- 6,985
I used to run a web-coupon distribution website and a mailing list for a software tool. Both required passwords for users. In both cases we stored passwords in encrypted format, as should be done. We could have, if we were dishonest, kept unencrypted versions of them and checked to see if they worked for the same usernames at yahoo mail, gmail, bank websites, etc. So the lesson is, don't use the same password for multiple sites.
Beware of any website that sends you your password if you forget it. That means they are storing the unencrypted version, and if someone breaks into their system or an employee gets ambitious, they could get them all. If they generate and send you a new password when you forget yours, then they are probably storing them in encrypted form.
Ian Osborne
JREF Kid
- Joined
- Aug 4, 2001
- Messages
- 8,957
Indeed, an interesting period of my history. I feature in the book
I was the whistle-blower.
Really? Do elaborate.
microdot
Thinker
- Joined
- Aug 12, 2009
- Messages
- 229
.ShuttIt said:
Educate them on ways to come up with strong passwords that they can easily remember-
http://www.microsoft.com/protect/fraud/passwords/create.aspx
Elf Grinder 3000
Banned
- Joined
- Sep 10, 2009
- Messages
- 1,608
It sounds like you would need the source code to do this?
Ohmer
Muse
- Joined
- Oct 2, 2004
- Messages
- 674
bokonon
Illuminator
- Joined
- Aug 30, 2007
- Messages
- 4,438
No. You would have to have the authority to write to the binary, either on disk or in memory.
AntiTelharsic
Critical Thinker
- Joined
- Apr 22, 2008
- Messages
- 252
Nope. It's done by modifying the executable.
Sounds like he was just referencing this old IRC prank:
http://www.bash.org/?244321
There was one system I used where over 5% of the several hundred users had their passwords equal to their usernames.
rjh01
Gentleman of leisure
That method may work for one password, however it is useless to remember heaps of passwords. I once tried to count the number of passwords I need, however I ran out of fingers and I did not want to take my shoes off.
Edit. Just gave this thread two tags. They show mostly old threads, but some could be a good read.
Last edited: