You must assume that an attacker has more time to devote to hashing potential passwords than you have for managing your systems. Thus, this attack is particularly threatening if your users are choosing passwords from a small search space, such as passwords of only three alphabetic characters. Various statements about the difficulty of breaking the UNIX password hash have circulated in the community for years. Often one will encounter a statement describing the probability that a password can be cracked to be nearly impossible. Such statements are made from a theoretical basis and cite the length of the password, usually in bits, and how hard it would be to exhaustively search the entire space of these bit strings. Indeed, the usual phrase is that an exceedingly powerful computer running for the known life of the universe would not be able to complete the search. What these statements do not consider are the practical aspects of password guessing.

Users repeatedly choose weak or easily guessed passwords. Hackers and password crackers use this information to narrow the search space and substantially reduce the complexity of the problem. Although in theory, guessing an 8-character password from the universe of 8-character passwords is impossible, in practice hackers are quite successful at it!

A good defense against offline brute-force guessing is to use stronger passwords. You also need to protect the password repository, whether it is a file on a local computer or database on a central server. If the computing environment in which you are working will support encryption of the password file or database, you should take advantage of this feature, too. If the password file is stolen, mounting offline attacks against an encrypted file will be much more difficult.

If a user is required to remember different passwords for several systems, chances are that the passwords will be written down. Hackers who physically reconnoiter a site have favorite places they inspect for written passwords such as under the keyboard, on a nearby filing cabinet, or on the back of the monitor. Needless to say, passwords that are written down are fairly easy to crack.

It is interesting that despite the many additional defense mechanisms in operating systems to deter brute-force attacks, many computers today are cracked because of weaknesses in the password itself. Ignoring pleas from security experts, countless books, and trade magazines, users still continue to choose passwords that are easily guessed.

Social Engineering

Not all password threats are based on guessing or cryptographic techniques. Many hackers report that the easiest way to break into a system is social engineering (Littman, 1997; Knightmare, 1994). You would be amazed at how freely information is given over the phone without proper authentication between the parties. The lore of hackers is filled with tales of gullible users being conned into giving away their passwords, the passwords of their superiors, or other information that can be used to penetrate a network.

Sometimes, the social engineering attack requires physical surveillance of the work site. To accomplish this surveillance, an opponent impersonates someone from a maintenance company, courier service, or even a pizza delivery person to gain access to the site. Once inside, personal information about the target person can be gleaned from pictures on the desk, by sifting through the trash, or by listening to careless office gossip. Some even go so far as to dig through trash containers on the company’s premises. Security guards who stumble upon these sifters are easily repelled when the hacker explains the activity as collecting aluminum cans, searching for a lost article such as a watch, or desperately trying to retrieve a lost report. Stories have been told of security guards helping a hacker find useful information in these situations (Knightmare, 1994).

The shoulder surfing technique identified earlier is also a favorite technique. Try watching a friend type in a password. You will be surprised how easy it is to pick up at least a few characters. Remember, any information is useful. Knowing the password length and a few of its characters also can help reduce the search space. If the password is particularly difficult to type, or if the user is unaccustomed to keying in the password, shoulder surfing is made easier by the slow keystroke pace. Social engineering tricks also include distracting a user while the password is being entered. Verbal information processing can reduce the keystroke rate of a user. In other words, if the attacker is chatting in your ear about last night’s football game, the time it takes you to enter your password will be increased.

When sufficient background material is obtained, the fun begins. The biggest problem the hacker faces is deciding which approach to use for social engineering. A particularly successful approach is for the attacker to call the target user and impersonate a superior. If the perpetrator can act convincingly, the hapless employee probably will respond automatically to any request. An alternative is to call a powerful network or system administrator over a period of time and build rapport by appealing to this person’s ego. For example, hackers have reported calling site experts with faked problems only to gradually develop a “friendship” with the unsuspecting soul on the other end. Enough trust has been built up to trick the victim into divulging information useful for penetrating systems, even if passwords were not obtained. At one recent hacker conference, a successful social engineering attack was carried out via telephone as part of a keynote address. In order to avoid breaking any serious laws, the speaker disconnected the victim only seconds before some useful secrets were disclosed.

The purpose of a social engineering attack may be to simply gain additional information that makes password guessing easier. Almost any information is useful to an attacker. Names of children, favorite hobbies, project names, birthdays, and other personal data can help narrow the search space for a brute-force password attack. A popular but predictable technique that some people use to “improve” the strength of passwords is to replace some characters with numerals. For example, the password “cocoon” would instead be “c0c00n”. With respect to computer search speeds, this additional twist does not add significantly to the password combinations the cracker must test. Notice that the only defense, if you rely on reusable passwords, is to educate site users. Periodic reviews and trials can ensure that employees are complying.