Password Hacking Posted by R@hUl | at 8:58 AM

Password Hacking
Password cracking is the process of recovering secret
passwords from data that has been stored in or
transmitted by a computer system. A common approach is
to repeatedly try guesses for the password.

Most passwords can be cracked by using following
techniques :

1) Hashing

Here we will refer to the one way function (which may
be either an encryption function or cryptographic hash)
employed as a hash and its output as a hashed password.

If a system uses a reversible function to obscure
stored passwords, exploiting that weakness can recover
even 'well-chosen' passwords.
One example is the LM hash that Microsoft Windows uses
by default to store user passwords that are less than
15 characters in length.
LM hash breaks the password into two 7-character fields
which are then hashed separately, allowing each half to
be attacked separately.

Hash functions like SHA-512, SHA-1, and MD5 are
considered impossible to invert when used correctly.


2) Guessing

Many passwords can be guessed either by humans or by
sophisticated cracking programs armed with dictionaries
(dictionary based) and the user's personal information.

Not surprisingly, many users choose weak passwords,
usually one related to themselves in some way. Repeated
research over some 40 years has demonstrated that around
40% of user-chosen passwords are readily guessable by
programs. Examples of insecure choices include:

* blank (none)
* the word "password", "passcode", "admin" and their
derivatives
* the user's name or login name
* the name of their significant other or another
person (loved one)
* their birthplace or date of birth
* a pet's name
* a dictionary word in any language
* automobile licence plate number
* a row of letters from a standard keyboard layout
(eg, the qwerty keyboard -- qwerty itself, asdf, or
qwertyuiop)
* a simple modification of one of the preceding,
such as suffixing a digit or reversing the order of the
letters.
and so on....

In one survery of MySpace passwords which had been
phished, 3.8 percent of passwords were a single word
found in a dictionary, and another 12 percent were
a word plus a final digit; two-thirds of the time that
digit was.

password containing both uppercase & lowercase
characters, numbers and special characters too; is a
strong password and can never be guessed.

3) Default Passwords :

Moderately high number of local and online applications
have inbuilt default passwords that have been configured by programmers during development stages of software. There are lots of applications running on the internet on which default passwords are enabled. So, it is quite easy for an attacker to enter default password and gain access to sensitive information. A list containing default passwords of some of the most popular applications is available on the internet.

Always disable or change the applications'
(both online and offline) default username-password
pairs.

4) Brute Force

All other techniques failed, then attackers uses brute
force password cracking technique. Here an automatic
tool is used which tries all possible combinations of
available keys on the keyboard. As soon as correct password is reached it displays on the screen.This techniques takes extremely long time to complete, but password will surely cracked.

Long is the password, large is the time taken to brute
force it.

5) Phishing

Is the most effective and easily executable password
cracking technique which is generally used to crack the
passwords of e-mail accounts, and all those accounts
where secret information or sensitive personal
information is stored by user such as social networking
websites, matrimonial websites, etc.

Phishing is a technique in which the attacker creates
the fake login screen and send it to the victim, hoping
that the victim gets fooled into entering the account
username and password. As soon as victim click on
"enter" or "login" login button this information reaches
to the attacker using scripts or online form processors
while the user(victim) is redirected to home page of
e-mail service provider.

Never give reply to the messages which are demanding
for your username-password, urging to be e-mail service
provider.

It is possible to try to obtain the passwords through
other different methods, such as social engineering,
wiretapping, keystroke logging, login spoofing, dumpster
diving, phishing, shoulder surfing, timing attack,
acoustic cryptanalysis, using a Trojan Horse or virus,
identity management system attacks
(such as abuse of Self-service password reset) and
compromising host security.

However, cracking usually designates a guessing attack.