To demonstrate how easily passwords can be cracked, I decided to post this lab for reference.
Here is a lab exercise in cracking passwords. This is from a class I took over the summer, (I got an A in this class.)
Cracking Passwords – Lab Exercise 6-1
Excelsior College: Class: IT-402: Network Security
Assignment: Lab Exercise 6-1, Carr, Bailey, Snyder (2010), The Management of Network Security
“ On a computer, choose a dictionary—based password. Get a cracking program (LC4 in Windows) and see how long it takes to crack it. Now make a stronger password and try cracking. Continue increasing the strength of the password until the cracking program takes 5 minutes with no success.” (Carr., Bailey., Snyder. (© 2010))
- Use a password cracking program to crack a dictionary password.
- Explain the security problems associated with weak dictionary passwords.
Summary of experience with the password cracking program:
I was impressed with how easily accessible the hacker-cracker tools can be on the internet. I downloaded Cain and Able. I tried to use it with the included word dictionary on a Windows-7 Pro system with some success. I believe Windows-7 does provide better security then XP. It was a good lesson to see how much more security an 8+ character password provides. 7 characters lasted hours, 8-9 characters can be days, and then it goes up from there. Not using dictionary words in an age when for $30 you buy a huge dictionary file, and easy crack dictionary words speaks for itself, plus the availability of huge rainbow tables too.
What I learned about the efficiency of cracking a dictionary password, and why strong passwords should be used at all times.
Ultimately this lab, and the class in general, combined with recent events really brings home how we have to constantly be aware, and that security continues to be get worse before it gets better. I really shutter when I realize how most people do not realize the great risk they are in, even as their friends and associates get picked off by the bad guys, one by one.
Going forward it’s hammered in my brain: 10-12+ character passwords of phrases, numbers, and special characters. 2-factor authentication when possible!
Download Cain and Able:
Needed to download WinPcap Library
Cain and Able is installed
Created BadUser account and assigned the secret password!
Cane and Able reading local password account
Adding the included wordlist
I was not able to change the local machine password policy for some reason even with run-as administrator to be less than 7 characters. With the “BadUser” account were trying the password “contino” which was in the included word list, however Windows-7 Pro must be fairly secure because it did not crack the password.
With Brute Force it would take a long time! (With 15 characters)
I set a 7 character password of abcde12 for the BadUser Account, and Cain’s came down to 2.3 hours from the big number of years listed above! Eventually this second password attack also failed. I didn’t have an XP box to try it out on, but I think this says a lot about better Windows-7 Security with Address Layout Randomization techniques, DEP, and better protection of the password hashes. Interestingly, going from a 7 digit password guess to an 8 space password increased guess time by 2-3 days from 2-3 hours.
Changing plain text settings for Cain and Able resulted in a crack! It took a few hours:
(The hacking moral: if at first you do not crack. Try another config). Some of these guys literally have nothing better to do that make cracking someone their life mission. It’s interesting that even a crappy windows-7 password does not crack immediately.
Carr, Houston, H., Bailey, Bliss, N., Snyder, Charles, A. (© 2010). The Management of Network Security, New York: Prentice Hall.