CHAPTER 2: PASSWORD AUDITORS
JOHN THE RIPPER & FSCRACK
1. How does the cracking program actually “crack” the password?
Answer: It compares results from word lists (or brute force attempts) with the encrypted
password using the same encryption method. If they match then the password is known.
2. Can a cracking program like JtR crack any password?
Answer: If it is given enough time and CPU power it can crack any password. It may take a very
long time (many lifetimes) but it will eventually crack any password.
3. If you used a larger wordlist, would it crack the passwords faster?
Answer: Yes, if you use larger wordlists the probability of cracking a given percentage of
passwords will increase (in general).
4. Can you use foreign language wordlists?
Answer: Yes, using foreign wordlists is very easy. People mistakenly believe that using foreign
wordlists protects them from password crackers. This is errant thinking. At a fundamental level
computers only see 1’s and 0’s. Foreign words can just as easily be broken down to 1’s and 0’s.
LCP
1. Where are these passwords stored on your computer?
Answer: It depends on your operating system and version of your operating system. In Windows
passwords are stored as a database (SAM) registry file.
2. Can MAC or Linux passwords be cracked?
Answer: Yes, they can be cracked. You just need to locate the password file (/etc/passwd, or
/etc/shadow).
3. Can someone access your computer by guessing your password?
Answer: Probably not. It’s highly unlikely that someone will gain access to your computer by
guessing your password. There are just too many passwords to guess. Most accounts are locked
out (or timed out) if someone enters the incorrect password more than three or four times. There
are much easier ways to gain access to your computer.
4. Are there additional options that would make guessing passwords faster?
Answer: Yes, there are certain patterns that people follow when creating passwords. Many
people put a number either before or after their password. Crackers know this. They can set
options that will force the cracker program to try variations based on these known patterns. This
increases the probability of cracking passwords.
OPHCRACK
1. What are rainbow tables and what do they look like?
Answer: Rainbow tables are pre-computed look-up tables that can greatly increase the rate of
cracking passwords. They are very large tables of pre-computed passwords. Recent
developments (late 2008) may make new types of rainbow tables very effective.
2. How do rainbow tables differ from dictionary or brute-force attacks?
Answer: Rainbow tables use pre-computed tables to look up the hash in large tables. Dictionary
and brute-force attacks compute each password individually and compare it sequentially.
3. If you had a faster computer, would it crack the passwords faster?
Answer: Yes, the more CPU power you have the quicker you can crack passwords.
4. Would a larger encryption key make it harder to crack a given password?
Answer: Yes, in general, a larger encryption key would make a password more difficult to crack.
A 1024-bit key is much stronger than a 128-bit key. Larger keys have the downside of requiring
more CPU power to encrypt and decrypt messages.
FGDUMP
1. Could someone get the password database from your computer?
Answer: Yes, if they have access to your computer they can get your password database.
2. Could someone remotely access your password database?
Answer: Yes, someone could penetrate your computer and then obtain your password database.
3. Are the passwords stored in plain-text or encrypted?
Answer: Encrypted.
4. How could you keep these passwords from being stolen?
Answer: Make sure you have all current security patches applied to your computer. Typically
hackers/crackers will use an exploit to break into your computer and then steal your password
database. Applying all the necessary security patches can prevent hackers/crackers from gaining
access to your computer.
FREE WORD AND EXCEL PASSWORD RECOVERY
1. Are there additional programs that can “recover” your passwords more quickly?
Answer: Yes, there are many different programs designed to recover passwords from almost
every type of application. Many Web sites will charge a small fee to recover your lost/forgotten
password.
2. Is the password system used in this Microsoft application inherently and intentionally
weak?
Answer: Yes, it was made intentionally weak to reduce the amount of time needed to recover
passwords. People forget their passwords all the time. They needed a way to recover passwords
very quickly.
3. Would third-party encryption software keep your documents safer?
Answer: Yes, most third-party encryption software is not inherently weak. Using third-party
software will keep your files confidential. It’s highly recommended that you use some type of
third-party encryption software.
4. Are there options that could speed up the cracking process?
Answer: Yes, you can select options for upper case, lower case, plurals, alternate dictionaries,
and multiple character sets with varying password lengths. All of these could speed up the
cracking process.
REVELATION
1. Why allow asterisks to show in the password box? Are they necessary?
Answer: Some people believe showing asterisks in the password box gives users feedback that
they are actually entering their password. Without showing the password some users think they
are not entering their password. They are not necessary.
2. Could someone gain advantage by knowing the number of characters in your password?
Answer: Yes, someone could see how many characters your password contains. This could
greatly reduce the computing time needed to crack the password.
3. Could this tool be integrated into other security software to automate this task?
Answer: Yes, removing the asterisks is very easy and is a potential vulnerability for the end user.
4. How does it change the asterisks to characters?
Answer: The asterisks are a simple mask over your password. Programs that reveal your
password are just removing the mask.
CAIN & ABLE
1. Did the length or strength of the password slow down the cracking of the password?
Answer: Not at all. You can change the password to a very strong password and it won’t slow
the cracker down at all. The method used to crack these passwords doesn’t depend on the
strength of the password.
2. Why did Cain & Able crack the password so quickly?
Answer: The encryption scheme used is inherently weak.
3. Would a stronger password even help?
Answer: No. You can make a very complex password and it won’t slow it down at all.
4. Does Cain & Able integrate a password cracker with other security tools?
Answer: Yes, it can pick up packets with the words “username” or “password” and send them
directly to a password cracker. It can crack a variety of different passwords.
DEFAULT PASSWORDS
1. Why have default passwords?
Answer: They can allow tech support people to get users back into their machines if they forget
their passwords. This removes the necessity of having to completely reinstall the affected system.
Essentially they create a back door for those people that know the default password.
2. Do all devices have default passwords (e.g., routers, switches, firewalls, desktops, cars,
vending machines, alarm systems, etc.)?
Answer: Most devices do have default passwords.
3. Is there any way to disable default passwords?
Answer: On most devices it is not possible.
4. Does “flashing” the device remove new passwords?
Answer: Yes, it can remove the passwords entered by users. The downside to “flashing” a
device is that you will likely have to reconfigure the device.
PASSWORD EVALUATOR
1. Why did you choose the password you currently have?
Answer: It’s likely that you chose a password that is familiar to you and easy to remember.
Hackers know this.
2. Could others follow the same logic and choose a similar password?
Answer: Yes, most people choose passwords that are familiar to them. Many people choose a
word and then add a number to the beginning or end of the password.
3. Do hackers/crackers know that users follow these same patterns when they choose their
passwords?
Answer: Yes, they count on the mental shortcuts taken by users to make cracking passwords
easier.
4. Do you use the same password for multiple accounts?
Answer: Most people use the same password for multiple accounts. They just don’t want to have
to remember a dozen (or more) strong passwords. It’s a good idea to have several different
passwords to prevent all of your accounts from being compromised from the loss of a single
password.
PASSWORD GENERATOR
1. Do you think one of these passwords would be easy for you to remember?
Answer: Hopefully one of the passwords you see will be easy to remember.
2. Why are these good passwords?
Answer: They use a variety of changes that make them difficult to guess. They use special
characters, changes of case, numbers not at the end of the password, etc.
3. Why do special characters (e.g., @#$%^&*) make passwords difficult to crack?
Answer: They are rarely used so they make passwords more difficult to crack using brute-force
cracking. The larger character set used the more possible combinations the password cracker has
to calculate. Adding these special characters greatly increases the strength of the password.
4. Why does a change of case help make a stronger password?
Answer: Adding a change of case greatly increases the strength of the password because it
doubles the number of possible characters you can use in your password. A lowercase “a” and an
uppercase “A” are two different characters. Each new character doubles the number of total
possible password combinations.