Tel: +44(0)1529 306284

Password Analysis

Passwords

Passwords, their strength and life expectancy are key to maintaining data security and are used for a variety of purposes. Whether logging on to a system or network or securing a document.

When undertaking an IT Security review, whether as part of a compliance exercise or an incident. Password auditing is a task where assumptions can often be made when trying to establish compliance with policy.

Assumptions can relate to:

  1. Complexity
  2. Life expectancy
  3. Ease of use.

We often find that companies and individuals believe they use secure passwords, simply because of their length and they contained a combination of uppercase, lowercase, numbers and special characters. Unfortunately, this may not be the case.

Examples of decrypted passwords

However, password cracking tools and techniques have also evolved. This is primarily due to the utilisation of GPU’s and key space manipulation.  The ability to use GPU’s for testing passwords, allows for a significant increase in the number of passwords that can tested within a given time frame. Thereby, reducing the time it takes to test all possible combinations.

Techniques have also been developed that allow for the manipulation ‘key space’. Which allows for a prioritisation words or parts of words to be combined into the ‘key space’ for testing. Again, effectively reducing the time taken to test combinations.

The definition of a good hack is, “nobody knows it’s happened.” Cracking that password, could be the reason…
By way of example below, is a random sample of passwords decrypted during a recent exercise undertaken in a 24-hour period using what would be described as a standard rig.

  • m@K&\\_\\&KR0s
  • @!M@n0r25
  • er368103#arbor@>Du
  • [eqcjcfkbrjv,fqy`hs
  • t11n27l8467c3bc6cc59f6168313233343536373839
  • qazxswedcvfrtgbnhyujm,kiol./;p
  • astıronomi

We have developed a series of tools and methodologies designed to test passwords created using a wide variety of algorithms, including WPA, WPA2, NTLM, MD5, SHA1. As a result, our processes have been designed to automatically undertake a variety of tests in sequence, increasing in complexity and strength. Furthermore, sequencing  can be modified to cater for an organisations particular needs.

Tests can also be undertaken either as a blind test, where no target specific information is applied or target specific information can be provided or harvested from open sources and then used to form the basis of seed data for testing. The latter replicating typical attacker methodologies.

Any hashes provided by the client are ‘wiped’ from the test environment using ‘DoD 5220.22-m 7 pass’ standard tools. After testing a report together with any recommendations would be provided.

The definition of a good hack is, “nobody knows it’s happened.” Cracking that password, could be the reason…

We often find that companies and individuals believe they use secure passwords, simply because of their length and they contained a combination of uppercase, lowercase, numbers and special characters. Unfortunately, this may not be the case.

For more information on the password auditing service we are able to provide.
Tel: +44 (0) 1529 306284. or Email: contact@ccc-ltd.com

For examples of projects and cases undertaken: Click Here...