Page not found | -Department of Computer Science, Columbia University Page not found – Department of Computer Science, Columbia University

It looks like nothing was found at this location. Maybe try a search?


Table of Contents

How to change CS account password

If you do not know your current CS account password, please contact

Back to Top

How to change WIN-CS account password

If you do not know your current WIN-CS account password, please contact

Back to Top

How to change MRL account password

To reset your password for already existing accounts on the Windows machines in the Microsoft Research Lab (MRL), you must have a CS account. If you do not know your current CS password, please contact

To change your MRL account password, please click here.

Back to Top

Password Cracking

Here we take a few paragraphs to explain what the "Crack" program is and isn't, how it works, and suggest some sorts of ways to form more secure passwords.

By the way, the program and the lists described below are all publically available. We just would like to keep ourselves one step ahead of the amateur cracker.

The "Crack" program is a password GUESSING program. It takes any provided list of "words" and a list of ENCRYPTED passwords, and then tries to find which words, when encrypted match one or more encrypted passwords. Here the term "words" means any string of acceptable characters. Some things that might be outside of one's expectation of words are words in this sense including "1", "qwerty", "98765432", etc.

The "Crack" program, while it is a brute-force guesser, is not a blind guesser. There are about 124^8 (about 5.96 E 16) combinations of 8 characters possible. If one systematically tried all 8 character strings at 1000 tries per second on 1000 machines in parallel, it would take about 18 centuries to exhaustively cover that search space. (Expected time (50% probability level) to crack exactly 1 password would be only 9 centuries. If there were 100 randomly chosen passwords (uniform distribution), this expectation drops to only 18.8 years to find one but still is at 944 years to expect to cover 50 of them.)

People, however, do not tend to choose random strings. They tend to pick keyboard patterns (like "qwerty", "!@#$%^&*', etc.) and natural language words. Suddenly an adversary doesn't have to try 5.96E16 strings. With our current list of "words", we make about 2.2E7 attempts against a password that we do not break. This can be done on one machine at 1000 tries per second in 6 hours.

Currently our success rate (or should we view this as the failure rate) sits at 22% using a lists of dutch, english, french, german, italian, norwegian and swedish words plus lists of names, jargon words, keyboard patterns and anything else people tend to use when picking passwords. Of course, new lists of words are added when available. In other words do NOT assume hebrew, spanish, korean, chinese, and japanese are safe.

Things to AVOID:
Some password constructions are easily guessed by a program such as Crack and should be avoided! Crack uses about 77 variations on the GECOS information and 240 variations on the dictionaries.

* For the GECOS information this starts with the words in the GECOS field and the initials of that field. To quote from the Crack documentation,

The data fed to the gecos rules for the user aem, who is "Alec David Muffett, Systems" would be: aem, Alec, David, Muffett, Systems, and a series of permutations of those words, either re-ordering the words and joining them together (eg: AlecMuffett), or making up new words based on initial letters of one word taken with the rest of another (eg: AMuffett).
Crack then tries these directly, uppercased, lowercased, reversed, doubled up (e.g. "aemaem"), mirrored (e.g. "aemmea"), capitalized, capitalized and doubled, capitalized and flipped, with appended punctuation and digits (e.g. "aem!", "aem.", "aem3"), with prepended strings (e.g. "!aem")

For the dictionary attacks, instead of using GECOS information Crack uses the word lists available. It tries, among other things:

Back to Top

Revised: March 13, 2007