Crack Tutorial

Passwords and Password Cracking

This is an introduction to passwords and picking ones that are easy to remember but hard for an adversary to guess. Here we take a few paragraphs to explain what the "Crack" program is and isn't, how it works, and suggest some sorts of ways to form more secure passwords.

By the way, the program and the lists described below are all publically available. We just would like to keep ourselves one step ahead of the amateur cracker.

If you feel a need to cut to the chase,
skip down about 80 lines looking for the
word SUGGESTIONS:

The "Crack" program is a password GUESSING program. It takes any provided list of "words" and a list of ENCRYPTED passwords, and then tries to find which words, when encrypted match one or more encrypted passwords. Here the term "words" means any string of acceptable characters. Some things that might be outside of one's expectation of words are words in this sense including "1", "qwerty", "98765432", etc.

The "Crack" program, while it is a brute-force guesser, is not a blind guesser. There are about 124^8 (about 5.96 E 16) combinations of 8 characters possible. If one systematically tried all 8 character strings at 1000 tries per second on 1000 machines in parallel, it would take about 18 centuries to exhaustively cover that search space. (Expected time (50% probability level) to crack exactly 1 password would be only 9 centuries. If there were 100 randomly chosen passwords (uniform distribution), this expectation drops to only 18.8 years to find one but still is at 944 years to expect to cover 50 of them.)

People, however, do not tend to choose random strings. They tend to pick keyboard patterns (like "qwerty", "!@#$%^&*', etc.) and natural language words. Suddenly an adversary doesn't have to try 5.96E16 strings. With our current list of "words", we make about 2.2E7 attempts against a password that we do not break. This can be done on one machine at 1000 tries per second in 6 hours.

Currently our success rate (or should we view this as the failure rate) sits at 22% using a lists of dutch, english, french, german,
italian, norwegian and swedish words plus lists of names, jargon words, keyboard patterns and anything else people tend to use when
picking passwords. Of course, new lists of words are added when available. In other words do NOT assume hebrew, spanish, korean, chinese, and japanese are safe.

Things to AVOID:
Some password constructions are easily guessed by a program such as Crack and should be avoided! Crack uses about 77 variations on the GECOS information and 240 variations on the dictionaries.

* For the GECOS information this starts with the words in the GECOS field and the initials of that field. To quote from the Crack documentation,

The data fed to the gecos rules for the user aem, who is "Alec David Muffett, Systems" would be: aem, Alec, David, Muffett, Systems, and a series of permutations of those words, either re-ordering the words and joining them together (eg: AlecMuffett), or making up new words based on initial letters of one word taken with the rest of another (eg: AMuffett).

Crack then tries these directly, uppercased, lowercased, reversed, doubled up (e.g. "aemaem"), mirrored (e.g. "aemmea"), capitalized, capitalized and doubled, capitalized and flipped, with appended punctuation and digits (e.g. "aem!", "aem.", "aem3"), with prepended strings (e.g. "!aem")

For the dictionary attacks, instead of using GECOS information Crack uses the word lists available. It tries, among other things:

Force every pure alphabetic word lowercase and try it
Pluralise every significant one of the above
Try variations of anything that is not pure alnum
Any alphaword >2 & <8 chars long, append a digit or simple punctuation since few ppl add non alpha chars to a already non-alpha word
Lowercase every pure alphabetic word and reverse it
Capitalise every pure alnum word (ie: not anything which is not alnum)
Anything uppercase
Pure alphabetic words with vowels removed which are still fairly long
Longish pure words lowercased and reflected
Words containing whitespace, which is then squeezed out
In a similar vein, words with punctuation, squeezed out
Reasonably short words, duplicated. eg: "fredfred"
various combinations based on graphic or phonetic similarities such as "l"->"1", "o" -> "0", "0" -> "o", "e" -> "3", "a" -> "2"
Prefixing words with digits and punctuation
Capitalise and then reverse every word (eg: "derF")
Reverse and then capitalise every alphabetic word (eg: "Derf")
Pure words capitalised with various ejaculatory punctuation added eg: "Cats!" for Andrew Floyd-Drebber fans...
Uppercase words with various things appended or swapped out
Really weird uppercase variations (doubled, mirrored, reversed)

SUGGESTIONS:
SOME ways to form easy-to-recall yet hard-to-guess passwords:

First off: *Only* the first 8 characters count toward your password!
Secondly: A password is just some string of characters you can remember.

Try any combination of the following:

Interjecting one or more random characters within your "word". For alphabetic characters throw together a mix of lower and upper case. To further confound the guessing process, toss in punctuation, symbols and digits, but not at the beginning or end. (One thing Crack tries is words with prepended and appended digits, punctuation and symbols.) e.g. "confinement" -> "cOn&fiNe" (The remainder of "confinement", "ment", doesn't help.)
deliberately misspelling whatever you select. e.g. "helium" -> "healeum".
use first letters of a phrase. e.g. "I've fallen, and I can't get up" -> "If,aIcgu" (note use of punctuation and capitalization). Very random, yet extremely easy to remember. [Suggested here courtesy of A. Dupuy]
use numbers and sounds of letters to make words e.g. "imd14u" (I am the one for you) - not as good as the first, since the alphabet is fairly restricted. [Suggested here courtesy of A. Dupuy]
selecting syllables from 2 different words or jumbling the syllables of one word.
letters from 2 or more different words or totally jumbling the letters of one word. e.g. "laser" and "implosion" -> "liamspel" (The remaining letters "rosion" will not count toward a password and only make the password harder to recall.)
a bizarre pattern - like multiple caesar ciphers. e.g. shift vowels forward one {a,e,i,o,u} -> {e,i,o,u,a} and consonants back one.

The more of these conversions you apply, the better. For example take a word, switch syllables, add some punctuation and capitalize the 5th letter. You should, however, always look at the result and make sure it is not another word or closely related to another word.

As you apply more ideas from above, (1) you get to have a password that you can still recall without writing it anywhere and, (2) you significantly raise the number of words that a password guesser has to try.

By the way - As a general practice, *never* write password down - the power of coat hangers, lock picks and pass keys are NOT to be underestimated when one's password is written on the side of the terminal or monitor for all to see.