LE DINH LONG (longld@vnSecurity.net - VISC Software Development and Consultancy Company)
Ensure the security of your password with the password cracker
Many people believe that password cracking programs can only be used by hackers or for illegal purposes. Not so. They can be used to ensure that users have set good passwords
Passwords - the foundation of computer security
Secure passwords, certainly the cornerstone of an effective security strategy. Passwords ensure the valid access of users to a system or network. Unfortunately, this is not always true. Passwords are usually set by the user of the computer.
Words, symbols, or dates to set passwords are often related to the person's personal information to make them memorable. The problem is here. Many users put the convenience above the security, resulting in their choice of passwords quite simply. This can make them easy to remember when they log in, but so do hackers who break their passwords. Hackers always detect weak links of the network to penetrate and clearly the simplest and easiest way is to find a password easy to guess. The first security defense was thus one of the weakest links.
System administrators are responsible for ensuring that all users are mindful of the need for and maintaining secure passwords. There are two requirements here: First, guide the user about the importance of the password and how to set a secure password; Second, there is a way to evaluate to make sure the user password is set to be effective. In order to meet the second requirement, the system administrator has to "quickly" find the password loosely before the hacker discovers. To do this, administrators can use the same tools hackers often use: password-cracker.
Password cracking
Word-lists: As a name suggests, a password cracker is a tool for cracking or finding a password. Password cracking programs use a variety of ways to do this. Some password crackers use "dictionaries," which are a list of words, paragraphs, or combinations of letters, numbers, and symbols that users often use to set passwords. The program will try each word sequentially at high speed until the word or symbol set matches the password. In theory, if you try a number of combinations and permutations, you will eventually find the string of characters that make up the password. If the password matches an entry in "dictionary", it looks like it has been broken.
Once the password has been cracked, the hacker can pretend to be a legitimate user and can access any data the user is allowed to use. More dangerous, hackers can "escalate attacks" in this way to take control of the entire network. Passwords are stored in encrypted form so they can not be "seen" easily. Dealing with this barrier, the password cracker uses the same encryption algorithm used to encrypt passwords, then browse through "dictionaries" to compare and find matches.
Brute-Forcing: While the "dictionary" method is based on the speed and the wise word arrangement, the second method of password cracking relies entirely on computational power and Repeat is called "brute forcing". Batch testing is a simple password cracker that is based on comparing all possible combinations and possible permutations of the available characters until found to match the password. This method is very powerful and will inevitably eventually break all passwords, but the execution speed is extremely slow due to having to try every possible character combination. For example, with just a 3-character password, the test process will have to go through combinations of: aaa, aab, aac ... aaA, aaB, aaC ... aa0, aa1, aa2, aa3 ... aba , aca, ada ... Each combination is through an appropriate encryption algorithm and compares it with the saved password until the match is found.
As can be seen, the method of "mass test" is rather slow and inferior to the use of "dictionary". However, this radical approach can compensate for speed limitations. "Bulk Tests" are still effective because they look for combinations of all the combinations and characters of the character, including meaningless combinations beyond the ability of the "dictionary" approach. In other words, these password-cracking programs only compare passwords with combinations of known characters and symbols.
Brute-Force and Wordlist Hybrids: Some password cracking programs, like password crack, use a combination of the two. These programs combine the best of both methods and give a high performance.
How to set password is high security
System administrator and password protection. At this point, what has been presented may lead the reader to believe that password cracking programs can only be used by hackers or for criminal purposes.
It's not the case: Parts of them can be used to ensure that users have set good passwords. System administrators can use password-cracking programs to check the security of a user's password, and then notify users who have set an unsecure password. Some password-cracking programs can also send e-mails asking users to change their password immediately if it breaks too easily or too quickly. It should be noted that not only new users make the mistake of breaking the security of the password. System administrators may have different password standards for themselves than other users. Having to remember multiple passwords, administrators often choose easy-to-remember passwords for many applications. This obviously creates a string of serious security vulnerabilities. In addition, administrators have the ability to bypass tools that improve the security of passwords, if they choose for convenience. Finally, administrators can often choose the fastest way to install software or devices and leave them open to default passwords. This is a common error so that on the Internet there are "repositories" that store all default passwords, originally intended to help administrators, but seem to help more hackers.
Enhance the security of passwords
What are unsafe passwords? Specifically, they are what can be found in dictionaries: simple words, rules and only letters. For example, using a name to set a password is not advisable.
Another weak point is the use of personally identifiable information to set passwords such as birthdays, anniversaries, relatives ... so that passwords are easier to remember. Hackers can often track personal information using "social engineering" and use that information to crack passwords. Placing passwords with obscure words can prevent this risk.
It is important to have a password that is not used everyday and with different characters, but it must be easy to remember. Users should combine letters (both normal and flowers) with numbers and symbols when setting passwords. This can be done by merging several character sets, including: flower letters (such as A, B, C, ... Z); normal letters (like a, b, c, ... z); Numbers (like 0, 1, 2, 3, ... 9); Special characters (like $, #,?, & amp;); Control characters (such as μ, £ ...).
Secure passwords can be created by replacing simple letters with other characters so that they can still be easily remembered but not in the dictionary. For example, "Password" can be changed to "Pa55w0rd". However, this method is outdated, the dictionaries have been created to deal with this technique. Therefore, if you want to be safe, the user is forced to use combinations of two or more unrelated words made up of characters from one of the five groups mentioned above.
Generate random password
More reliable can use random password generator to give the user a ready-made password. However, due to randomness these passwords are hard to remember. And in many cases, the first thing a user does is to write the password into a note and paste it in front of the screen. That's the problem because unauthorized people can see the password. Again, the solution is to create a memorable password but not too simple to be broken with "dictionary". This is a bit difficult, requiring both imagination and memory, but this is a vital step for computer security.
Frequently change password
In addition to creating passwords that are hard to break, frequent password changes are equally important. This is essential if someone has or is trying to crack your password. Responsibility belongs to the administrator must prompt the user to perform on a regular basis. Another option is to use the password expiration feature of the operating system to require the user to change the new password after a period of use (usually 30 days). However, users often complain about complex passwords that are difficult to remember and do not follow instructions. In that case, the administrator can allow complex passwords to be used longer before changes are made.
Passwords and security policy
Bad passwords are not discovered that could lead to data being compromised. Your organization's security policy is required to address every aspect of password security. In it, not only emphasize the absolute importance of the secure, secure and user-friendly passwords of each user in protecting their passwords, but also outlining the steps the system administrator Be sure to keep your system secure when using password protection.
