How It’s Done – Cracking a Password
I can recall a night about fifteen years ago when I fancied myself a bit of a hacker. Oh what fun times. Back then I used a program, called a list dialer, to dial strings of phone numbers and identify computer networks. I never really did anything with the numbers I retrieved (and if I did I certainly wouldn’t tell you guys), but the calls I received the next day made up for the fact that I had a pretty uneventful night. Receiving over 100 calls to my land line between the hours of 8 and 9 in the morning is always fun. Especially when the majority of people just called back to scream and holler about me calling at 2 a.m. and not saying anything. That’s something special.
If you enjoy sneaking around where you shouldn’t, then I believe you’ll enjoy today’s “How It’s Done” and my suggestions on how to crack those silly password buggers. Let’s get started.
There has never been a standard formula for cracking passwords. Usually, password cracks fall into one of six categories:
1. Brute Force
3. Rainbow Table
5. Social Engineering
This can be done manually, or you can download (or design) a program to do the dirty work. Brute force attacks include using all possible alpha-numeric combinations to determine the correct key. Depending on the length of the password and the computing power available (or time you’re willing to spend if you’re doing it manually), this could take a good amount of time.
Typically, this method uses a simple file that contains words. The focus here is to target users that don’t take password optimization seriously and use passwords like Flower, or Old Yeller. Simple stuff. Nowadays dictionary password cracking is a bit outdated.
This is probably the most common method today of hackers. A rainbow table uses a list of pre-computed hashes (a numerical value of encrypted passwords) and these are the hashes of every possible password combination for any particular hashing algorithm. This method is very quick, and usually only takes a few minutes of research to crack a system.
These are those fake emails you might have received that blatantly ask you for your password while pretending to be someone who should have that information like an internet service provider, or OS technician.
Something that quite a few corporations have caught on to, this method involves obtaining phone numbers to workers at their desks, calling them up and posing as someone from IT. Even though most businesses have become aware of this as a threat, you would be surprised how many people still fall victim to this tactic.
Things like an invisible key logger can be installed by malware, recording all user activity and forwarding that activity back to the hacker’s computer.