H-NET H-NET H-NET H-NET H-NET H-NET H-NET H N N E ** H-Net Magazine ** E T T H Volume One, Issue 1, File #09 of 20 H N N E How to Crack Those PASSWORDS! E T T H-NET H-NET H-NET H-NET H-NET H-NET H-NET H THE SO-CALLED "UNCRACKABLE" PASSWORD -------------------------------------- Many people consider the type of password - the so- called random combination of alpha and numeric characters - to be "uncrackable" because so many billions of combinations seem possible. A six-character password of this type using only letters and numerals, could have 2,238,976,116 variations. This type of password is most frequently used by large data-base vendors. It is assigned to the user by the vendor, and is often used with systems requiring only one access level (that is, no second security number) because the password is believed to be so invulnerable to cracking. In reality, however, this password format is vulnerable to solution by both doors and algorithms. In the first case, not all passwords require the presence of numbers. Passwords may be alphabetic characters only. In some cases pass- words such as "GUEST" or "IBMCE" may provide a backdoor into the system. Solution by algorithmcan also be simple because most systems do not use a truly random method for generating passwords. We know, for example, that MILNET passwords exclude certain letters and numbers. There are doubtlessly other rules involved in their construction that we could discover. A study of pass- words from a given system - we'll use Dow Jones as an example here - can reveal the patterns that are used to create such "uncrackable" passwords. Dow Jones passwords are generally 10 characters long. If character assignment were truly random, we would expect that most of the characters would be alpha- betic because there are 26 alpha characters compared to only 10 numeric char- acters. A random system would generate 2.6 alphas for each numeric character. In fact, however, Dow Jones passwords appear to have only 4 or 5 alphabetic and have 5 or 6 numeric characters. This is our first clue that the password sel- ection proccess is not random. Here is a sample of the typical Dow Jones passwords: 92J62P4BUF 35K4UPK931 59LTAN7521 Patterns are readily discernable: 1) The first two characters are numbers 2) The third character is a letter of the alphabet 3) Each password has at least two numbers that are duplicates. 4) No password has three numbers that are the same 5) Each password has one three-letter combination that includes a vowel (eg. BUF,UPK,TAN) 6) This alpha-triplet can begin at any character from the fourth to the eighth position. 7) No password has more than one vowel. 8) Passwords may have either 4 or 5 alphabetic characters. 9) While a password may have two alpha characters that are the same,these letters do not follow one another, 10) Of the 16 numbers used in the passwords above, none is a zero. Examination of a large number of passwords would doubtlessly reveal other "rules" that were used in Dow Jones password selection. Each newly-discovered "rule" would limit the actual number of available passwords and make the system that much more subject to cracking by computer. TAKING THE "RANDOM" OUT OF RANDOM One of the most notable factors in so-called tables of computerized "random" numbers is that there are two basic ways of creating them. The first method is to create a table that will provide what can statistically be said to be a random list - that is no number or letter would theoretically occur more frequently than any other number or letter. Most systems, however, simply rely on an electronic component that creates alledgedly "random" numbers. These hardware random number generators are usually biased in their number selections One simple test of a random number generator is called the "coin toss test." A program is written to simulate the results of a thousand or so coin tosses. Were the random number generator truly random, heads would appear about as frequently as tails. In an actual test, however, heads appeared 421 times, and tails appeared 579 times - a significant bias. A test such as this could be performed over the entire alphanumeric character list and the component's bias chartered. Once this information was known, the cracking computer could be programmed to insert this selection bias into it's own attempts to generate passwords. This is yet another step that evens the odds between the hacker and the so-called "uncrackable" password. This testing scheme, requiring either a component or a computer like the target computer, would be a lengthy process, but some people might regard the product as worth the time involved in preparing such an analysis. A strategy of cracking Dow Jones system, given the rules listed above, would be to create a program with an algorithm that provided combinations of passwords meeting the criteria above. As each creation was tested, a pattern might be found in the successful creations that would make the algorithm even more selective. One would expect, for example, that simular to the MILNET and ARPANET passwords, certain confusing characters would be eliminated from passwords. The number, "0" is often eliminated, for example, because it is easily confused with the letter "O". =============================================================================== [Hackernet BBS,LEEDS,UK(0532)557739, 24hrs. Home of H-Net Hacking magazine]