Home
  Home
Home
Search
Articles
Page Tag-Cloud
  Software
Software Tag-Cloud
Submit Patch
Building from Source
Open Source Definition
  Popular Tags
C Plus Plus
Source Code
Legacy
Class
Console
  Members
Login
Web-Email
Notable Members
  Official
Our Company
Copyright Information
Software EULA
GPL EULA
LGPL Eula
Pre-Release EULA
Privacy Policy
  Support
Make Contact
 
 
Password Cracking
Let's go out on a limb and say that your password is "scissors". While this might seem like a mighty fine password on the surface (I hope it doesn’t, but it might) – this password is extremely weak. Plain-text passwords are subject to several types of attack - most notably the "dictionary attack".

The dictionary attack is one which a would be attacker will automate a password guessing process using every word in the dictionary; and the dictionary definitely contains the word "scissors".

Now, what if your password were the word "Scissors" (with a capital "S")? This combination is not included in my password list. Why? Think about it. I cannot include every combination of the word scissors in my list or it would be HUGE, easily several hundred of thousands of time larger than it's current size.

Your password could be:
  • "scissors"
  • "Scissors"
  • "Sci$$ors"
  • "scissor$"
  • "scis$ors!"
  • "Sc|ssors"
  • "Sciss0rs?"
  • "S(iss0rs?"
…and this list goes on and on and on for just the word "scissors"!!

So you might be thinking: How do we probe for a password which is not in the dictionary if we can't just build a list of every possible combination? Well, this is where permutations come in - and short of it is that we will need some manner of program. This way we can load a word from the list into memory and try to log-in with it. If the log-in fails, instead of simply moving on to the next word we will "mutate" the word a bit. We'll try adding a question mark to the end. Did that password work? No? What about replacing all of the S's in the word with dollar signs? ...I'm sure you get the gist.

Given a method, a password list and time; the possibilities are limitless. Check out SQLPWAudit for a pre-baked solution for password auditing and recovery.

Be sure to grab most up-to-date version my my password list here:




Tags:
 Auditing    Cracking    Lists    Passwords  

Created by Josh Patterson on 2/8/2013, last modified by Josh Patterson on 2/8/2013

No comments currently exists for this page. Why don't you add one?
First Previous Next Last 

Login or signup to leave a comment.
 
Copyright © 2017 NetworkDLS.
All rights reserved.
 
Privacy Policy | Our Company | Contact