Cracking a 13 digit alphanumeric password in 160 seconds

September 18, 2007
The story might seem right out of science fiction. But it is true, with the rapid steep increase in computing power, it is now possible to crack a password from its encrypted state much more quickly with the aid of right kind of tools.

Jeff Attwood writes to indicate that he was able to crack a 13 digit alphanumeric password - the password in question is "Fgpyyih804423" - in just 160 seconds. For the cracking, he made use of an open source tool called Ophcrack - which is a Windows password cracker based on Rainbow tables.

A Rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plain text password from a password hash generated by a hash function. For example in Linux you can store your password encrypted using MD5 or the more powerful SHA1 and SHA256. I may add that while installing Debian, Mandriva or Open SuSE, the installer asks whether you want to encrypt your password in MD5 or the more powerful SHA encryption. Choose SHA because MD5 can be easily broken....

To see your passwords in hash form in Linux, just log in as 'root' and view the /etc/shadow file.

So what this open source tool called Ophcrack does is it uses the rainbow tables to crack the passwords (thankfully only Windows passwords) in real time. They have released a LiveCD based on SlaX Linux distribution which can be used to automate the process to a large extent. The ophcrack developers claim the liveCD cracks passwords automatically, no installation necessary, no admin password necessary (as long as you can boot from CD)- so there.

While Jeff does make it sound scary, with the right precautions, Rainbow password cracking can be made useless. Thomas Ptacek a security expert explains some of the secure password schemes and the precautions you can take to secure your machine from a remote attack based on Rainbow tables.

0 comments: