Let's take a closer look to see what might have happened. Before doing that, we need to understand a little about how password crackers work.
Some common password cracking tools are John the Ripper, Brutus, Cain and Abel, and LC 5 (formerly L0phtcrack). However, these tools don't run in isolation, or indiscriminately grab passwords out of thin air. They run against the hashed password files used by both Windows and Unix systems for storing passwords. These files contain the pairs of user IDs and passwords, but with the passwords encrypted in one-way hashes, for users with accounts on the workstation.
These hashes are called one-way, because they can't be decrypted. Cracking tools convert words from lists – some from dictionaries, others from commonly known and used passwords – into hashes and compare them with the hashes in the system password file. In other words, cracking tools don't actually break passwords themselves, they compare hashes of encrypted possible passwords.
Crackers can be used remotely, installed directly onto a desktop or run off a disk inserted into the workstation. Either way, they need access to the password hash file sitting on your machine. The following are two ways to protect yourself from this in the future:
- Strengthen your passwords. The word lists used by cracking tools consist of words from dictionaries and common everyday words. An attacker can easily find these lists on the Web and install them with the cracker. If you have an unintelligible password, it makes it that much harder – and slower – for a cracker to defeat. That could be the difference between getting into your machine, or not.
- Here are some tips for strong passwords:
- Make sure your password is at least six, preferably eight, characters long.
- Don't use words that can be obtained from a dictionary, or any common name, such as those of your children, spouse or pets (remember what happened to Paris Hilton?).
- Use an unintelligible combination of letters, both upper and lower case, and numbers. A password like "mycatsname25" can be easily broken, however, "nG67kLr42" might not be.
- Expire passwords on a frequent basis, preferably every 60 or 90 days.
This was first published in December 2005