Passwords remain key to maintaining security within today’s digital world as a result of the continued drive towards a paperless and possibly cashless society. Whether at home or work, there is an increase in the number of hours being spent on-line; whether shopping, banking or communicating with others either professionally or socially. As a consequence, the number of times a user’s authentication is required has also mushroomed. Placing even more reliance on the quality of the humble password.
CCC have frequently found password policies being deployed, without really understanding the level of security provided or what may, in fact, be required, to be effective. A view often taken is that of a belt and braces approach, based purely on theory. The longer and more complex a password is the more secure it should be. To a degree, this approach may be true, but if taken too far can be counterproductive, due to its complexity or the frequency of change. Certainly, having an adverse effect with passwords becoming difficult to remember. Hence, they get written down or patterns begin to be used. Which, while complying with the policy, increase the risk of detection.
Examples of passwords using monthly patterns which would all be detected fairly quickly could be:
Consequently, employees by nature try to find other ways to circumvent policy. Password analysis can help prevent this, by determining the correct levels of complexity and life needed for compliance.
“The definition of a good hack is that nobody knows it’s happened…”
And, having a weak password, could just be the reason…
Other areas where password analysis may be considered are:
As part of a comprehensive review, or
- On a standalone basis, as a result of an investigation or incident
CCC can offer a variety of password analysis services, designed to specifically meet individual requirements.For more information on password analysis or to make a submission →
The continuing evolvement of decryption tools and techniques has meant that password decryption or cracking tools and methodologies have significantly advanced in recent years.
Which is primarily due to:
- The exploitation of GPU processors:
- First of all, they considerably increase the number and complexity of hashes that can be tested in a reasonable amount of time.
- While, reducing the cost of equipment, at the same time.
- The use of distributed systems for testing
– Increasing processing power, still further.
- Key space manipulation
– Allowing for multiple types of attack to be undertaken, while prioritising the more likely passwords.
– Combining words or parts of words with random sequential characters and ranking the results ahead of sequential lists running through an arbitrary character set.
These types of attack include:
- Hybrid – Combining dictionary with rules
Leaving only brute-force attacks to be finally tried, should none of the others succeed.
Set out below are a random sample of passwords decrypted during a recent exercise, using a standard rig with a bespoke character set.
These passwords having been automatically created, using a poorly constructed password generator. Which it can only be assumed was not tested or subjected to any form of a validation process. The passwords created are obviously difficult to memorise and therefore difficult to use effectively. Consequently, they are counterproductive and present additional risk.
Tools and Techniques
For this reason, CCC have developed a series of in-house applications and approaches, aimed at testing and evaluating passwords and their policy.
A wide range of algorithms are available for testing, some of the more common include:
- MS Office*
For a complete list of available algorithms, please call +44 (0) 1529 306284 or email. firstname.lastname@example.org
Once set up, our programs and processes have been designed to automatically undertake tests on a client-specific basis. Increasing in the degree of difficulty, so as to determine definitive breakpoints. Sequencing and testing can be modified to cater for any additional or specific needs.
Testing can also be undertaken blind, where no target specific information is applied or where information harvested from a variety of sources is used for seed purposes. Replicating the steps an attacker would typically undertake.
At the conclusion of testing, a report would be provided, and any hashes or passwords decrypted are ‘wiped’ from all systems using ‘DoD 5220.22-m 7 pass’ standard tools.
CCC would be happy to comply with any confidentiality agreements that may be required.
Our expertise and experience, uniquely combines electronic forensic skills, with an understanding of corporate finance.
Asset Tracing – Audit – Computer Security – Digital Forensics – Due Diligence – eDiscovery – Fraud Investigation
Intelligence Gathering -Passwords Analysis – Penetration Testing – Wireless Security
Services underpinned with expertise and experience.