Password Guessing

Password Guessing

by B. Michael Hale


Passwords, passphrases and security codes are used in virtually every interaction between users and information systems, [1]. Unfortunately, with such a central role in security, easily guessed passwords are often the weakest link. They grant attackers access to system resources; and bring them significantly closer to being able to access other accounts, nearby machines, and perhaps even administrative privileges, [1]. The purpose of this research is to introduce the concept and methodology, follow it by some real-life examples, and scare organizations into implementing stronger password policies.

Password Guessing

Passwords are sequences of symbols usually associated with a user name. The combination provides a mechanism for identification and authentication of a particular user. If all was right with the world, they would be more or less unique and grant privileges only to the account's owner (or other intended user). Alas, the world is not all right. Attackers have several venues of guessing passwords and overcoming this obstacle.

Fairly low on the difficulty scale, we have attacks against default passwords. These are established by the vendor and built into many applications and operating systems, allowing attackers an almost effortless point of entry. The vulnerability exists because overworked, uninformed, or lazy administrators fail to change them; and crackers maintain large databases. Exploits of this nature are easy to implement and either succeed or fail within a matter of seconds (or probably longer if the target device must be identified first). For an example database of default passwords see [3] [4] and [5].

A dictionary-based attack usually consists of parsing a word file, encrypting or hashing that word (according to a particular algorithm), and comparing the result to the encrypted or hashed password from the victim machine. If the comparison matches, we have the original password. Of course, this could be far more difficult if we do not know the correct algorithm or do not have access to the encrypted system file. We can also use this attack to login to network services. By examining the server's response (i.e. the text string "Password Incorrect" or "Successful Login") to each argument we send, we can determine which accounts are vulnerable to dictionary-based attacks. Duration and probability of success vary depending on a system's processing efficiency and quality of the dictionary file, though attacks with small dictionaries often have success rates near 20%, [11].

We also have hybrid attacks, which append, prepend, or insert numerical (0-9) and special (!@#$%*, etc.) characters to dictionary terms. Passwords guessed at this level might be something like "129good45guess" or "pa55w0rd." Finally, the most complex and time consuming method is implementing brute force. With this attack we can expect every possible keystroke character in every possible sequence to be tried until the correct combination (and order) is chosen. It is not abnormal for a brute force attack against an NT (MD4) Hash, MD5 Hash, or algorithm of similar strength to last for weeks, months, or even years. Mathematically, an 8-symbol passwords chosen uniformly and at random from an alphabet of 100 symbols would require 5 quadrillion guesses, [10].

Though the terminology of each mode may differ (i.e. brute-force in L0phtcrack is equivalent to incremental mode in John the Ripper), the concepts remain the same. Advanced programs also allow user-specified character sets and customized functions for generating password guesses. Furthermore, if an attacker is educated in a user's interests, hobbies, family names, and other personal information, they may build on the dictionary file with such terms.

How Vulnerabilities Originate

We've already discussed the impact that default passwords have on a system's security. Additionally, on almost all machines, the users themselves choose the passwords. This places the burden of security on end users who either do not know, or, sometimes do not care about sound security practices, [2]. Possible reasons include ignorance, carelessness, and inconvenience. As a general rule, passwords that are simple to remember, are, likewise, easy to guess. We can also expect many users to use the same password for more than one account on possibly more than one system (what could be more convenient than only having to remember one password?).

A system's cryptographic protocol also plays a roll in security (or lack thereof). For instance, Unix machines might rely on crypt, a one-way hashing algorithm based on a modified DES algorithm, to transform passwords into ciphertext, [14]. Since crypt, algorithms such as MD5 were found to provide a more secure and attack-resistant representation of passwords; yet many systems have not upgraded.

Likewise, Windows machines are troubled by something similar. By default, several versions of Windows store two representations of each password on the local disk, [1]. One of these representations (the LM hash) is simply for backward compatibility with older, less sophistcated machines. The LM passwords are extremely weak compared to the stronger representation (the NT hash) and they can be guessed by force in a very short amount of time, [1].

Specific Tools and Exploits

Summary, Conclusions, and Further Work

The SANS Institute ranked weak or nonexistent passwords the third (Windows) and fourth (Unix) most critical Internet security vulnerabilities, [1]. If ever an ounce of prevention was worth a pound of cure - this is it. From a technical point of view, defending against password attacks is very simple: declare and enforce policies with complexity and length requirements, minimum and maximum password ages, and strong cryptography. For a full list of recommendations see [1]. Keep in mind that passwords can also be acquired via scavenging (dumpster diving), social engineering, coercion, and even the simplest form of password guessing - the educated guess.


[1] The SANS Institute Top Twenty Most Critical Internet Security Vulnerabilities, October 2003. [This document provides an ordered list of the top 10 vulnerabilities on both Windows and Unix based systems].

[2] Skoudis, Ed. Couter Hack. New Jersey: Prentice-Hall, Inc., 2002. [This text provides a step-by-step guide to computer attacks and effective defenses].

[3] A default password list available on the Internet.

[4] A default password list available on the Internet.

[5] A default password list available on the Internet.

[6] L0phtcrack [This link displays documentation for the award-winning password auditing and recovery application, LC4].

[7] John the Ripper [This is the homepage for JtR project].

[8] Crack [This is the homepage for Alec Muffet's Crack program].

[9] Northcutt, Steven, Mark Cooper, Matt Fearnow, and Karen Frederick. Intrusion Signatures and Analysis. Indiana: New Riders Publishing, 2001. [This text is part of the SANS GIAC series and provides in depth attack descriptions, mechanisms, network traces, and defense recommendations].

[10] The Security Database at Attack #32 Password Guessing [This is a database of threats, attacks, and defenses maintained by Fred Cohen].

[11] Cheswick, William R., Steven M. Bellovin, and Aviel D. Ruben. Firewalls and Internet Security, 2nd Edition: Repelling the Wily Hacker. Boston: Addision-Wesley, 2003. [This text introduces the philosophy of Internet security, dissects possible attacks on hosts and networks, and describes the tools and technques used to perpetrate - and prevent - such attacks].

[12] Denning, Dorothy E and Peter J. Denning. Internet Besieged - Countering Cyberspace Scofflaws. Boston: ACM Press, 1988. [This text describes in-depth several break-ins on the Internet, assualts on privacy, and thefts of information].

[13] The Computer Emergency and Response Team (CERT) Vulnerability Note VU#565052 [This link describes the weakness in SSH and the RC4 algorithm that allows attackers to capture and exploit system passwords].

[14] Unix man pages for crypt, available by typing 'man crypt' into a Unix terminal.