Within the science of cryptanalysis (using mathematical formulae to decipher coded information), password cracking is the process of recovering passwords from data that have been stored in or transmitted by digital systems (smartphones, tablets, laptops, desktops, game consoles, memory sticks…).
When passwords are stored on a system, they are encrypted by a hashing algorithm, which turns a password composed of letters, numbers and/or symbols into a fixed-length alphanumeric fingerprint. For example, using the hashing algorithm MD5, a hash of the word computer would be df53ca268240ca7667c8566ee54568a (in addition to MD5, other popular cryptographic hashing algorithms are SHA-1, LM, NTLM and Whirlpool). Once the password is encrypted, it is stored in a file.
Methods of password cracking
Password cracking software employs one or more of the following three methods (there are others):
- Brute Force: In brute force cracking, through trial and error, a computer tries every possible key or password and checks it against an available cryptographic hash of the password until it succeeds. Brute force is considered to be an infallible, but time-intensive, approach.
- Dictionary Attack: Basic dictionary attack software uses a list of common single words. More advanced programs use a dictionary, but also mix in numbers or common symbols at the beginning or end of the words. A weakness of dictionary attack is that it is dependent on words supplied by a user, typically real words, to function. If the password is misspelled, is in another language, uses a word that is not in the dictionary or profile, or is composed of two words, dictionary attack cannot succeed.
- Rainbow Tables: A rainbow table is a grid of pre-computed hashes. It generates all of the hashes that need to be verified in advance. Then all the cracker needs to do is compare all of the hashes in the password file with the ones it has already generated. The main challenge of password cracking is obtaining the file that contains all of the hashed passwords. Rainbow tables is much faster than brute force because the hashes are computed in advance. The downside is that Rainbow Table files take up 100s of gigabytes of disk space.
Dictionary Attack and Rainbow Tables are first-line methods, since they reduce the number of trials. Brute force password cracking is usually the last resort.
The time to crack a password is related to bit strength, which is a measure of the password’s predictability and how the password is stored. But the ability to crack passwords is also a function of the number of possible passwords per second that the computer can check. General-purpose desktops are considerably slower at cracking passwords than dedicated forensic workstations.
There are 6.63 quadrillion eight-character passwords that could be generated using the 94 numbers, letters, and symbols that can be typed on any keyboard. Forensic workstations can test billions of passwords per second. A user-selected eight-character password with numbers, mixed-case letters and symbols — and with commonly selected passwords and other dictionary matches filtered out — could be cracked in seconds.
According to ARS Technica, one password-cracking expert developed a computer cluster that can cycle through as many as 350 billion guesses per second. This means that it could try every possible Windows password in less than six hours.
The more GPUs a forensic workstation incorporates, the faster it cracks passwords. GPUs excel at any highly repetitive task, such as statistical modeling, physics simulations and password decryption. So, major considerations for password-cracking hardware are the processing speed, the number of GPUs and the amount of memory.
There are many freeware password cracking software tools; the most widely used are the following:
- Cain and Abel: For Windows OS; uses dictionary attack, brute force, and cryptanalysis
- John the Ripper: Free software that is primarily used to crack UNIX, Linux, Mac and Windows system passwords; uses dictionary attack and brute force
- Aircrack: For WIFI, WEP and WPA password cracking; uses dictionary attack, brute force, and FMS (a statistical technique)
- THC Hydra: Cracks remote system passwords and is best used with Linux; uses dictionary attack and brute force.
These packages are freeware and, as such, are also only supported by online communities. Most government agencies and law enforcement agencies prefer to have software that is both easier to use as well as fully supported by the publisher. The top two commercial packages are:
- Passware Kit Forensic: Provides passwords for over 280 file types and recovers passwords for both PCs, as well as Macs, iPads/iPhones and Android and Windows phones. It detects encrypted files and reports the type of encryption before starting password cracking. It enables accelerated password recovery using GPUs as additional processors and can utilize multiple computers for faster responses.
- Elcomsoft Password Recovery Bundle: A complete suite of Elcomsoft password recovery tools allows users to unprotect multiple file types. Elcomsoft is a high-end solution for forensic and government agencies, data recovery and password recovery services, and corporate users with multiple networked workstations connected over a LAN or the Internet. It allows up to 32 CPUs and up to eight GPUs per processing node.
This is only a fraction of the capabilities of these two commercial packages. But, while the freeware utilities listed above may be downloaded and tested out by anyone, the commercial packages listed range from $995 and up. They also have trial versions available for download on their Web sites.
So, who are the prime candidates for password-cracking forensic workstations? Law enforcement, government agencies, the military and even law offices. Remember that password-cracking is just one function of these powerful machines; they also process, preserve, document and make available the contents of digital devices.
John Samborski is CEO Ace Computers.