Let's take a closer look to see what might have happened. Before doing that, we need to understand a little about how password crackers work.
Some common password cracking tools are John the Ripper, Brutus, Cain and Abel, and LC 5 (formerly L0phtcrack). However, these tools don't run in isolation, or indiscriminately grab passwords out of thin air. They run against the hashed password files used by both Windows and Unix systems for storing passwords. These files contain the pairs of user IDs and passwords, but with the passwords encrypted in one-way hashes, for users with accounts on the workstation.
These hashes are called one-way, because they can't be decrypted. Cracking tools convert words from lists – some from dictionaries, others from commonly known and used passwords – into hashes and compare them with the hashes in the system password file. In other words, cracking tools don't actually break passwords themselves, they compare hashes of encrypted possible passwords.
Crackers can be used remotely, installed directly onto a desktop or run off a disk inserted into the workstation. Either way, they need access to the password hash file sitting on your machine. The following are two ways to protect yourself from this in the future:
- Strengthen your passwords. The word lists used by cracking tools consist of words from dictionaries and common everyday words. An attacker can easily find these lists on the Web and install them with the cracker. If you have an unintelligible password, it makes it that much harder – and slower – for a cracker to defeat. That could be the difference between getting into your machine, or not.
Here are some tips for strong passwords:
- Make sure your password is at least six, preferably eight, characters long.
- Don't use words that can be obtained from a dictionary, or any common name, such as those of your children, spouse or pets (remember what happened to Paris Hilton?).
- Use an unintelligible combination of letters, both upper and lower case, and numbers. A password like "mycatsname25" can be easily broken, however, "nG67kLr42" might not be.
- Expire passwords on a frequent basis, preferably every 60 or 90 days.
Dig Deeper on Password management and policy
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.