Password

Security

David Turner

When was the last time you thought about how secure your password was? Do you use
something easy to remember like your dogs name or your anniversary, or do you have post-it
notes everywhere with passwords written on them? Do all your accounts use the same password?
Its all safe enough, right? Wrong. Everyday people are the targets hackers love most, because
their passwords are easy to crack, and can provide limitless back doors into everything from your
bank account all the way up to your companys information. Maybe its time to start thinking
about your passwords. I actually conducted a survey to see what people thought about password
security, Ill discuss the results later.
Passwords are one of the biggest security holes in any seemingly secure network.
Installing $500 anti-virus programs, specifically hiring a cyber-security team, taking all
reasonable security precautions will not matter if users passwords are weak. Based on my
survey, this is not something people seem to understand, many of them were under the
impression that it is the responsibility of corporations to secure data, not their responsibility to
make sure they had sufficient passwords. Karen Scarfone and Murugiah Souppaya (2009) stated
that all corporations must protect their network and data using the triad of security method;
confidentiality, integrity, and availability. Using this method will allow authorized users to
perform their daily duties and will not allow unauthorized users to steal or corrupt their data.
Integrity and availability is ensured by data security controls, such as using strong passwords or
passphrases, access control lists, firewalls, routers, and switches that prevents attackers from
overwriting passwords. If one thing fails or isnt implemented at all data and network resources
are at risk.
An added must to ensuring the security of a network is having encrypted and secured
backups of all password files. Ensuring the confidentiality of passwords is considered a bit more

difficult due to software, software configuration, and hardware compatibility. The majority of
these security breaches stem from untrained users not knowing the severity of using weak or
commonly known passwords in a corporate environment and Network Administrators not
enforcing strong password policies. The National Institute of Standards and Technology (NIST)
is a government agency that has come up with password standards for corporations to follow to
secure their network and keep data safe from hackers. You would think choosing the right
password would be easy, but its a lot harder than you would think. Most users want to use
something that is easy to remember, such as the word password, a significant date like 02-141992, or something that contains their name like David1. Some people may even use their street
address, children or current pets names. You may think these are unique and secure information
that only you would know, but its not.
Hackers simply have to Google (or, go trolling for you) to find your information. If the
hacker knows where you work, live, workout, and your favorite social media account such as
Facebook, he or she can simply find your profile and gather information about you, your friends,
and family. This information can include things such as: your name, address, phone number,
birth date, children and pet names, and significant dates. It is important to be mindful of what
you put on the Internet and what you want others to know about you.
The key to a strong password is to either use a passphrase or a word or two combined
with numbers, capital and lower case letters, and special characters. In my survey it was
interesting to see how people ranked different passwords from strongest to weakest. You can use
either technique, but the best and strongest passwords use a combination of both. Using a
passphrase is one of the easiest ways to quickly secure your information. A passphrase can be
very unique to the user. It can be something said form a charter in your favorite movie, a line

from a nursery rhyme, or a saying from a loved one. Heres an example of a passphrase that Ive
used in my computer classes: maryhadalittlelamb. I bet youre thinking that this is too simple and
a hacker can crack this in a matter of minutes, but youre absolutely wrong. That only happens in
the movies; in the real world this password would actually take months or maybe a year to crack.
The length is what makes it complex, not words. When using just a password be sure to make as
unique and complex as possible, while still being easy to remember. I would not use anything
like this $up3rM@n. All I did was take the word Superman and added a number, capital letters,
and special characters; I made this simple word somewhat complex. This password could still be
cracked in a few days or a month only because its still considered a simple password. Now lets
take both examples and combine them to make a passphrase even more complex like so:
M@ryhadAlitt13l@mB. By adding more elements to the passphrase I may get a few extra
months before a hacker would be able to crack this password.
Information technology columnist Reid Goldsborough (2014) states that passwords
similar to the ones I mention are part of an actual list that circulates among hackers that contain
500 most commonly used passwords. In Cyber Security we call this list a Rainbow Table. This
list really does exist and it does contain every commonly known used password and every
combination ever used. It also contains all broken or cracked hash algorithms or hash functions.
These tables are for sale on the Internet and they are not cheap. When or if you decide to
purchase a Rainbow Table, you should be aware who could be selling you this list could either be
a hacker or law enforcement; it will not be sold by a legitimate retailer such as Best Buy or
Newegg. There could be other cost involved with this purchase such as a bogus list, Trojans or
viruses, or even jail time if the list was used in a crime. Youre probably thinking, So what, they

have a list of commonly known and used passwords, and that will not affect me at all. Thats
where youre wrong. They can use said list to crack your password in many different attacks.
I know you have seen plenty of movies where some nerdy guy or girl is sitting at their
computer getting ready to hack some major company, a bank, or our government. Then in a
matter of minutes theyre in the system looking for whatever information they need to either
bring down the company, government, or make off with millions of dollars, but to quote Geico,
thats not how this works, thats not how any of this works Geico Insurance commercial
(2014). Believe it or not hacking is an art form, and it takes a lot of patience to do what they do.
Hackers will use many different types of attacks to crack your password.
Predrag Tasevski (2013), who holds a Master of Science in Engineering in the field of
cyber-security, stated that the easiest and simplest attack to use is called a Dictionary Attack.
This attack actually uses the dictionary to crack your password and it takes about twenty to thirty
minutes to run. The Hybrid Attack is the one most commonly used by hackers. Most
Network/System Administrators and users use upper and lower case letters, numbers, and special
characters in their passwords. The Hybrid attack will take every possible variation of a password
run it against its database and it will use the dictionary and part of the rainbow table again to
make another attempt to crack your password. This could take from ten minutes to an hour to
run, even if the hacker has a database that is 10 GB or larger. The most difficult and time
consuming is called the Brute Force attack. The reason for this is because its looking for one
character at a time until it finds the one you used. This is where the patience comes in. You may
be wondering how hackers preform these attacks? They use the same tools as the security
professionals.

These tools can be found all over the Internet. Ill be mentioning the popular ones that
Ive used during my time at Sullivan College of Technology and Design. John The Ripper is the
oldest open source password-cracking tool that is UNIX based and open source. Open source
refers to the source code and its available to the general public free of charge, and can be
changed by anyone. The source code is the base for all computer programs, it tells you who
wrote it, how it was written, and who distributes the software. John the Ripper runs on Linux
based software and supports pipe guesses, this means it is possible to write a custom algorithm to
generate password guesses and then use it as a backend cracker. Also it has the ability to export
guesses generated from the built in algorithms to other programs, which make it convenient to
map the effectiveness of a password cracking session by keeping track of the exact number of
guesses which are required to crack each password (Tasevski).
The next cracking tool runs on Windows operating systems and it is called Cain and Able.
It is also free to the public but it has a graphic interface that is easier to use. This tool can also be
used as a network sniffer that can automatically grab passwords and password hashes over the
network. It also has a built in feature to create a rainbow table and an online hash lookup
database. This next tool, L0phtcrack, was discontinued in 2006 after Symantec purchased it from
Stake. L0phtcrack was the first tool to attack Windows Local Area Network (LAN) Manager
Hash or LM hash for short. LM hash was used by Microsoft all the way back to Windows XP
and was disabled in Windows Vista because it was compromised by L0ghtcrack. It was mostly
only used by professional security/penetration testers because it was able to perform risk
assessments, but it was later modified to crack passwords.
AccessData Password Recovery Toolkit is a program used for cracking files that are
encrypted, but does not have a graphic interface. It uses something called a field-programmable

gate array (FPGA) and integrated circuit (IC) that can be programmed to differ from the
manufacturers original settings. This allows any computer user to tailor microprocessors to meet
their own individual needs, this is a common practice among gamers. This allows the tool to
speed up its attacks on cracking passwords. It can be customized for creating dictionary and
brute force attacks. With other tools you can only use one method to crack a password, with
AccessData Password Recovery Toolkit youre able to use one or the other or both at the same
time. The downside is that you cannot use any third party tools to assist like Cain and Able or
Jack the Ripper. You must have a prebuilt database installed either in the tool or on the PC itself.
Aircrack-NG is a WiFi password-cracking tool that can crack Wired Equivalent Privacy
(WEP) or Wi-Fi Protected Access (WPA) passwords. It analyzes wireless encrypted packets and
then tries to crack passwords via its cracking algorithm. It uses the Fluhrer, Mantin and Shamir
(FMS) attack along with other useful attack techniques for cracking passwords. It is available for
Linux and Windows systems. Scott Fluhrer, Itsik Mantin, and Adi Shamir (2001) stated how this
attack takes full advantage of a weakness in the Rivest Cipher 4 (RC4) key scheduling algorithm
to reconstruct or recover the key from a large number of collected encrypted messages in that
stream.
THC Hydra is one of the fastest network logon password-cracking tools. New modules
are easy to install and enhance the features in the tool. It is available for many different operating
systems such as Windows, Linux, Free BSD, Solaris, and OS X. This tool has shown a proof of
concept; it gives researchers and security consultants the ability to show how easy it would be to
gain unauthorized access to a system remotely. It is the only login password-cracker that
supports numerous protocols to attack. It is relatively easy to use and is as efficient as a bruteforce attack can be. Although Brute-Force attacks are somewhat uncommon and are never a

recommended attack strategy, due to the fact that it raises so many red flags for the hacker, but
sometimes they just dont have a choice.
How do hackers use these tools to crack passwords? First they would need a way into
your network or PC. Hackers like using either Phishing or Social Engineering techniques. There
are many different types of Phishing attacks. Lets start with regular phishing, this is the attempt
to acquire sensitive information such as usernames, passwords, and credit card details by
masquerading as a trustworthy entity in an electronic communication. The second type is called
spear phishing and its a directed attack on a specific individual or company. You may remember
earlier in my paper I mentioned how attackers may gather personal information about their target
from Google that is what that is, an attempt to gather information. This technique is, by far, the
most successful on the internet today, accounting for 91% of todays attacks. Cloning attacks is
another type of phishing attack that uses a legitimate email that was previously delivered, but it
an attachment or link within the email is replaced with a malicious version and then sent from an
email address spoofed to appear to come from the original sender. Its designed to look like the
original or even an updated version to the original. The last phishing attacks goes after your big
fish such as senior executives, board of directories, and other high profile targets within a
company, this is known as Whaling.
Social engineering is the art of manipulating people so they give up any personal
information that can lead to your confidential information. Hackers are usually trying to trick
you into giving them your passwords or bank information, or access your computer to secretly
install malicious software that will give them access to your personal information as well as
giving them control over your computer. This tactic is usually effective because it is easier to
exploit you than it is to discover ways to hack your accounts. Social engineering can fool even

the most careful user into being persuaded to disclose personal information to somebody who, on
face value, appears to be trustworthy. Its much easier to fool someone into giving you their
password than trying to hack their password; unless the hacker knows your password is really
weak.
In the last five years six major companies have been hacked. In my survey, I asked people
how they felt about these attacks, and unsurprisingly, many people said they were concerned. I
would like to share this information published by Wired Magazine about what was stolen in the
Sony Pictures hack:
The hackers claim to have stolen a huge trove of sensitive data
from Sony, possibly as large as 100 terabytes of data, which they
are slowly releasing in batches. Judging from data the hackers have
leaked online so far this includes, in addition to usernames,
passwords and sensitive information about its network architecture,
a host of documents exposing personal information about
employees. The leaked documents include a list of employee
salaries and bonuses; Social Security numbers and birth dates; HR
employee performance reviews, criminal background checks and
termination records; correspondence about employee medical
conditions; passport and visa information for Hollywood stars and
crew who worked on Sony films; and internal email spools.
All of these leaks are embarrassing to Sony and harmful and
embarrassing to employees. But more importantly for Sonys
bottom line, the stolen data also includes the script for an
unreleased pilot by Vince Gilligan, the creator of Breaking Bad as
well as full copies of several Sony films, most of which have not
been released in theaters yet. These include copies of the upcoming

films Annie, Still Alice and Mr. Turner. Notably, no copy of the
Seth Rogen flick has been part of the leaks so far (Zetter, 14 ).
I would have to agree with the writer that this hack was a personal and professional
embarrassment for Sony as a company. To have a folder named passwords that contained
current and past employees, server, and Information Technology (IT) passwords in clear text on
the server was a huge mistake on their Network Security Administrators part. There is plenty of
software options available that could have encrypted that entire folder such as True Crypt and
KeePass. These are free of charge and Ive used both of them. One hundred terabytes of data is a
massive amount to lose.
The hacker or hackers created and installed a very vicious piece of malware that
devastated Sonys network:
Baumgartner says the malware used to harm Sony Pictures,
known as Destover, acts as a backdoor and is capable of wiping
disk drives and any Master Boot Record disk -- in other words, it
can sneak into a system, completely take over and, just like that,
have access to the data saved within. "It does not target
consumers," he added. "There may be other issues for customers,
however, that arise out of any business being hacked and sensitive
data accessed (Alvarez, 2014 ).
Destover in my personal opinion is a great piece of malware. It tells the user please wait while
it erases all of your data. This piece of malware was designed only for Sony, so if another hacker
got a copy of malware he/she could not install it on any other companys network.
So now that you know how hackers target networks, using both technology and personal
interaction, how safe do you feel with your password? Are you guilty of some of the pitfalls I

talked about? Will you be changing your password? If a company as big as Sony can be hacked,
why cant you? Lets take a look at my survey results to see how secure people feel with their
passwords, and how they define what a secure password is.

Figure 1

conducted a survey that dealt with password security and thirty-three people participated. My
first question was to see if people felt that companies had their best interest in mind when
protecting their data. To my surprise, 27.27% of participates said they did not care if a
corporation had their best interest when it came down to their personal data. I find this to be
absolutely outrageous in this day and age. With so many corporations being hacked these days
why would you not care? Another 27.27% said No they dont have your best interested in mind
and I found that to be strange. I wouldnt think any corporation would want to lose a client or
money due to their clientele not feeling safe about the companys use of their data. At least
45.45% said that they did feel corporations did have your best interest in mind.

Figure 2

In figure 2, you can see that 78.79% of the people who took my survey said they would prefer to

have more security when it comes to their personal data. To me, this means that 78.79% of
people surveyed feel that their current security measures arent enough.

Figure 3

I am glad, yet slightly concerned to see that the majority of my participants did want

more security on their home PC. This shows that they are aware of potential threats and are
concerned that the security measures (or lack thereof) that they have in place arent enough.

Figure 4

such

With
major

corporations being targeted, it is clear to see that the majority of people are worried about the
safety of their information. Based on the comments that I received, the people who responded
that they were nervous but not bothered are people who do not do business with any of these
corporations.

Figure 5

In this question, I gave no parameters of what is secure and what is not. So while majority of
people said that they dont use a simple password, many of them may be simple without the
creator knowing that it is simple. Additionally, I noticed that while people said they use a more
complex password, many of them said they use the same password for multiple things, making
even the most complex password less secure.

Figure 6

Correct Answers:
m@ryhaDal1ttl3laMp Strongest (upper and lowercase letters, numbers, special characters,
passphrase)
thismypassword Second Strongest (due to length and passphrase)
MiKe$ - Neutral not bad, but not good (short but includes special character and upper and
lowercase letters)
2hamburgers Weak (all lowercase letters, and has non-embedded numbers)
10111986 Weakest (all numbers, password crackers can most easily guess numbers)
This one surprised me a little. Majority of people agreed on what was the strongest, but a
large volume of people picked the second strongest to be the weakest. The results for the middle
ground seemed to be all over the place, with no one agreeing on what should come in 2nd, 3rd, and
4th place.

Bibliography
Alvarez, E. (2014 , December 10). Sony Pictures hack: the whole story. Retrieved February
2015, from engadget.com: http://www.engadget.com/2014/12/10/sony-pictures-hack-thewhole-story/
Campbell, J., Ma, W., & Kleeman, D. (2011). Impact of restrictive composition policy on user
password choices. Canberra.
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weaknesses in the Key Scheduling Algorithm of
RC4. San Jose.
Goldsborough, R. (n.d.). Choosing passwords that really protect you. Personal Computing, 68.
Scarfone, K., & Souppaya, M. (2009). Guide to Enterprise Password Management (Draft).
Gaithersburg.
Tasevski, P. (n.d.). PASSWORD ATTACKS AND GENERATION.
Zetter, K. (14 , December 03). Sony Got Hacked Hard: What We Know and Dont Know So Far.
Retrieved February 2015, from wired.com: http://www.wired.com/2014/12/sony-hackwhat-we-know/