Security Back home Site map version française

Mots de passe

Work in progress

Misc

Just in case you spent the last centuries on another planet, I'll remind you what it is: a password, is a piece of text that only one or a few people know, so one can authenticate them or give them access to some restricted service.
Multi-user operating systems (Unix, Windows NT) use them, as protected web servers also do. In both cases, a password is just a complement of some ID.

Vulnerabilities

Theft

A password can be stolen: you can "sniff" it, hack the database that contains it or look over the shoulder of the guy who is entering it.

Most of the time,it is not displayed when you enter it — the bad guy can still look at the keyboard, but it is harder.

Against the sniffer, you have to encipher it (e.g., connection forms are often transmitted through HTTPS), or implement a challenge / response system.

Last but not least, clear passwords should not be stored, in case hackers steal the database. Unix or NT only keep a "hash" of the passwords. When a user logs on, the system hashes the word he entered and comapres the result to the stored hash.

But this system (or chalenges) is not failsafe...

Breaking

Even if you do not have "clear" passwords, you can "try" all the probable (or possible) passwords, feed them into the hashing algorithm and look if the result matches the hash (or the answer to the challenge).

Depending on the case, passwords may be broken by exhaustive search, if each test is quick and if the "space" is small enough (short passwords), or by a dictionnary attack. This one is based upon a human flaw (laziness) and means that we are going to try only common words. i.e. we have more chances to find "abc" than "ZynBRRi".
Some tools derives "possible" words from the dictionnary: from "abcd", we are going to try "abcd1", "abcd2", etc.

Among those common words, we can find: words from the user's mothertongue, and first names.

In fact, all this was just an introduction to what is coming below...

A dictionnary of first names

It is here or there.

I compile this from miscellaneous sources...
A few remarks:

ispell

ispell et aspell are free spell checkers. You can find dictionnaries in many languages, but you have to clean them before you can feed a tool like Cracklib or John with them. [...]


Security Back home Site map
Michel Arboi
Last modified: Sun Mar 25 16:17:45 CEST 2007