EXPERIMENT-- 4

Aim: To study “How to make strong passwords” and “passwords cracking techniques”.

5.0 Learning Objective

After going through this unit, you will be able to:
• Generate secure passwords
• Apply password manager to generate secure password
• Point out various features of different password managers

5.1 How to Generate Secure Password

5.1.1 Guideline for setting secure Password

Choosing the right password is something that many people find difficult, there are so many
things that require passwords these days that remembering them all can be a real problem.
Perhaps because of this a lot of people choose their passwords very badly. The simple tips
below are intended to assist you in choosing a good password.

Basics

• Use at least eight characters, the more characters the better really, but most people will
find anything more than about 15 characters difficult to remember.
• Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces
and symbols.
• Don't use a word found in a dictionary, English or foreign.
• Never use the same password twice.

Things to avoid

• Don't just add a single digit or symbol before or after a word. e.g. "apple1"
• Don't double up a single word. e.g. "appleapple"
• Don't simply reverse a word. e.g. "elppa"
• Don't just remove the vowels. e.g. "ppl"
• Key sequences that can easily be repeated. e.g. "qwerty","asdf" etc.
• Don't just garble letters, e.g. converting e to 3, L or i to 1, o to 0. as in "z3r0-10v3"
Tips
• Choose a password that you can remember so that you don't need to keep looking it up,
this reduces the chance of somebody discovering where you have written it down.
• Choose a password that you can type quickly, this reduces the chance of somebody
discovering your password by looking over your shoulder.
Bad Passwords

• Don't use passwords based on personal information such as: name, nickname, birthdate,
wife's name, pet's name, friends name, home town, phone number, social security number,
car registration number, address etc. This includes using just part of your name, or part
of your birthdate.
• Don't use passwords based on things located near you. Passwords such as "computer",
"monitor", "keyboard", "telephone", "printer", etc. are useless.
• Don't ever be tempted to use one of those oh so common passwords that are easy to
remember but offer no security at all. e.g. "password", "letmein".
• Never use a password based on your username, account name, computer name or email
address.

Choosing a password

• Use good password generator software.

• Use the first letter of each word from a line of a song or poem.
• Alternate between one consonant and one or two vowels to produce nonsense words. eg.
"taupouti".
• Choose two short words and concatenate them together with a punctuation or symbol
character between the words. eg. "seat%tree"

Changing your password

• You should change your password regularly, I suggest once a month is reasonable for
most purposes.
• You should also change your password whenever you suspect that somebody knows it,
or even that they may guess it, perhaps they stood behind you while you typed it in.
• Remember, don't re-use a password.
Protecting your password

• Never store your password on your computer except in an encrypted form. Note that the
password cache that comes with windows (.pwl files) is NOT secure, so whenever
windows prompts you to "Save password" don't.
• Don't tell anyone your password, not even your system administrator
• Never send your password via email or other unsecured channel
• Yes, write your password down but don't leave the paper lying around, lock the paper
away somewhere, preferably off-site and definitely under lock and key.
• Be very careful when entering your password with somebody else in the same room.

Remembering your password

Remembering passwords is always difficult and because of this many people are tempted to
write them down on bits of paper. As mentioned above this is a very bad idea. So what can you
do?
 • Use a secure password manager, see the downloads page for a list of a few that
won't cost you anything.
• Use a text file encrypted with a strong encryption utility. Choose passwords that
you find easier to remember.

Bad Examples

• "fred8" - Based on the user’s name, also too short.

• "christine" - The name of the users girlfriend, easy to guess
• "kciredref" - The users name backwords
• "indescribable" - Listed in a dictionary
• "iNdesCribaBle" - Just adding random capitalisation doesn't make it safe.
• "gandalf" - Listed in word lists
• "zeolite" - Listed in a geological dictionary
• "qwertyuiop" - Listed in word lists
• "merde!" - Listed in a foreign language dictionary

Good Examples

None of these good examples are actually good passwords, that's because they've been
published here and everybody knows them now, always choose your own password don't just
use somebody elses.
"mItWdOtW4Me" - Monday is the worst day of the week for me.

5.2 Password cracking techniques

There are a number of techniques that can be used to crack passwords. We will describe the
most commonly used ones below;

Dictionary attack– This method involves the use of a wordlist to compare against user
passwords.

Brute force attack– This method is similar to the dictionary attack. Brute force attacks use
algorithms that combine alpha-numeric characters and symbols to come up with passwords for
the attack. For example, a password of the value “password” can also be tried as p@$$word
using the brute force attack.

Rainbow table attack– This method uses pre-computed hashes. Let’s assume that we have
database which stores passwords as md5 hashes. We can create another database that has md5
hashes of commonly used passwords. We can then compare the password hash we have against
the stored hashes in the database. If a match is found then we have the password.

Guess– As the name suggests, this method involves guessing. Passwords such as QWERTY,
password, admin etc. are commonly used or set as default passwords. If they have not been
changed or if the user is careless when selecting passwords, then they can be easily
compromised.
Spidering– Most organizations use passwords that contain company information. This
information can be found on company websites, social media such as facebook, twitter etc.
Spidering gathers information from these sources to come up with word lists. The word list is
then used to perform dictionary and brute force attacks.

Spidering sample dictionary attack wordlist

1976 <founder birth year>

smith jones <founder name>
acme <company name/initials>
built|to|last <words in company vision/mission>
golfing|chess|soccer <founders hobbies