I think someone has used a 'password cracker' to access my e-mail account. Is this possible? My computer is not connected to a network, so access would have been through a remote computer. If this is possible, can you please tell me what I can to prevent this from occurring again?

    Requires Free Membership to View

If your computer isn't connected to a network, it's unlikely someone stole the user ID and password to your e-mail account using a password cracking tool remotely. Your initial assumption is correct, but that doesn't mean the attacker couldn't have installed the cracker, as you correctly call it, locally right on your machine.

Let's take a closer look to see what might have happened. Before doing that, we need to understand a little about how password crackers work.

Some common password cracking tools are John the Ripper, Brutus, Cain and Abel, and LC 5 (formerly L0phtcrack). However, these tools don't run in isolation, or indiscriminately grab passwords out of thin air. They run against the hashed password files used by both Windows and Unix systems for storing passwords. These files contain the pairs of user IDs and passwords, but with the passwords encrypted in one-way hashes, for users with accounts on the workstation.

These hashes are called one-way, because they can't be decrypted. Cracking tools convert words from lists – some from dictionaries, others from commonly known and used passwords – into hashes and compare them with the hashes in the system password file. In other words, cracking tools don't actually break passwords themselves, they compare hashes of encrypted possible passwords.

Crackers can be used remotely, installed directly onto a desktop or run off a disk inserted into the workstation. Either way, they need access to the password hash file sitting on your machine. The following are two ways to protect yourself from this in the future:

  1. Strengthen your passwords. The word lists used by cracking tools consist of words from dictionaries and common everyday words. An attacker can easily find these lists on the Web and install them with the cracker. If you have an unintelligible password, it makes it that much harder – and slower – for a cracker to defeat. That could be the difference between getting into your machine, or not.
    • Here are some tips for strong passwords:

    • Make sure your password is at least six, preferably eight, characters long.
    • Don't use words that can be obtained from a dictionary, or any common name, such as those of your children, spouse or pets (remember what happened to Paris Hilton?).
    • Use an unintelligible combination of letters, both upper and lower case, and numbers. A password like "mycatsname25" can be easily broken, however, "nG67kLr42" might not be.
    • Expire passwords on a frequent basis, preferably every 60 or 90 days.

  2. Improve the physical security for access to your machine. Chapter 5 of my book, The Little Black Book of Computer Security has tips for physically securing your system from intruders, including those intent on installing password crackers.

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: