Print This Issue

One Step Ahead
October 20, 2009, Volume 56, No. 08

One Step Ahead

Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.

Password Cracking: The Pot of Gold at the End of the Rainbow

One of the “holy grails” coveted by hackers when they compromise a system is the file which contains the passwords for all the users on that system. The passwords are stored in encrypted form, of course, but if a hacker can decode or “crack” the encryption the reward is a valuable set of user credentials, especially if the system in question is a large, heavily used server. “Cracker’s Dictionaries” have been used for this purpose for several years, and these typically are pre-compiled lists of more than one million potential passwords comprising not only all known English words (including proper nouns), but also variations used on them, e.g. “crooked” and “cr00k3d”.

In recent years, however, hackers have also made extensive use of “rainbow tables,” a sort of “reverse dictionary” which contains the encrypted values for all possible passwords of a given length, indexed to their associated passwords. It sounds unbeatable, but there *are* limitations. Rather than mere hundreds of thousands of entries, “rainbow tables” will sometimes contain entries numbering into 25 digits or more (septillions), and this requires enormous amounts of memory and disk space to make use of. Also, many computer systems “salt” their password files with special added data that diminish the effectiveness of these attacks, though some systems (especially older Windows systems) have been shown to be vulnerable. One researcher, using a widely available “rainbow” tool, reported cracking a Windows password “Fgpyyih804423” in less than three minutes!

Most cracking dictionaries and rainbow tables tend to discount or overlook the use of “special characters” in passwords (those produced using the ‘Shift’ key and the top row of the keyboard - !, @, #, $, etc.), so using one or more of these when selecting a password is good protection against its being “cracked.”


To receive OneStepAhead  tips via email, send email to listserv@lists.upenn.edu with the following text in the body of the message:  sub one-step-ahead <your name>.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Almanac - October 20, 2009, Volume 56, No. 08