Password Recovery and Password Cracking

We use encryption and passwords to protect digital data. This can be one file, user account or whole computer system. We rely on passwords and expect that nobody can access the data without knowing the password. Unfortunately, this assumption is wrong. There are many password recovery algorithms. Some depend on properties of particular encryption algorithm while others use brute force to gain access. However, most such algorithms do not recover the original password used since many different passwords generate the same hash value which is used to encrypt the data. Therefore most password recovery tools are actually password cracking tools. Usually, the goal is not the password itself but the data.

In many cases password recovery is trivial. This applies in particular to user accounts. Most people use simple passwords that are words they use on a daily basis. Such passwords are easy to guess and present no security. All you have to do is to investigate a little bit about the person and learn about kids, pets and lovers. It is very likely that the password is a name of somebody. Because of possible problems with weak passwords, many system administrators require longer passwords with numbers and special characters. This approach leads to a more severe problem because people can not remember such passwords and they write them down somewhere. Inexperienced users accidentally make password recovery almost trivial.

In most cases we don’t need password recovery. Assuming that we either choose a password that can be remembered or that we save it securely somewhere, we can always enter it when necessary. But even if the password is considered as secure we can still make a mistake and use it more than at one location. This way we risk unauthorized access in the case somebody cracks our password at one location.

Websites use a simple password recovery approach. Each user account is associated with email address. It is assumed that only the owner of the user account can access this email. Therefore the account recovery process consists of sending a link to reset the password. This way the only the authorized user can change account data and no password is ever sent or displayed.

We use passwords also to protect files from unauthorized access. All popular archiving programs like ZIP or RAR provide security options. Once the files are archived with password nobody can, at least theoretically, recover them without knowing the original password. Acrobat PDF files also use passwords to protect various levels of file access. In the case we forget the password we loose access to the files. Fortunately (or unfortunately, it depends on which side you are), there are tools that can crack passwords. The only problem with such password crackers is that password recovery may take a very long time. If the password is strong it may never be cracked with ordinary computers and software.

But password cracking software was not created because of people who forget their passwords too often. There are many cases where people would like to gain (usually unauthorized) access to protected files or systems. One legitimate use of password cracking tools is forensic data recovery. Many advanced criminals protect incriminating data with passwords. To provide computer evidence in criminal cases, forensic examiners use password cracking software to recover encrypted files or to access protected user accounts. Windows XP password recovery and linux password recovery for normal user accounts is possible if you have administrator privileges. You simply change password for user account. Root or administrator password recovery usually means booting from recovery CD/DVD and resetting password. Of course, if you have administrator privileges then you can access the system including all user accounts–you don't need to recover passwords of individual user accounts.

The same password recovery software is, of course, also used by hackers to get access to commercial software, computer systems, wireless networks or user accounts. Depending on the password strength, characters used, and cracking method used, the software may need a lot of time to check all possible passwords. The fastest approach is dictionary attack where the software checks all passwords stored in a file. This file may be a list of passwords used in the past, a list of people’s names or commonly used words. Another approach is brute force attack where you define maximum password length and set of characters. Password recovery software then generates and checks all possible combinations. Typical desktop computer can check few million passwords per second. While this number may seem huge it is still extremely small comparing to all possible combinations for typical passwords. Therefore, home password recovery is very limited.

Professional password cracking involves dedicated cracking hardware which can process billions of passwords per second. This significantly improves chances for recovery but the success depends also on particular encryption algorithm used. Some algorithms have weaknesses that can be exploited in order to limit the number of possible combinations to speed up the cracking.

Password recovery can be anything from trivial to almost impossible. It depends on the password strength and our awareness how the passwords should be treated. Even the longest password provides no security if it is written on a post-it note.


Tags: , ,