The Escalating Tech Behind Password Cracks

Mark Koschmeder
Posted by in Technology


A silent arms race exists between data security professionals and the hackers who keep them busy. With every advance in password protection technology, those who have no business snooping through your financial records get a little smarter. Facing this threat, and learning to manage it effectively, is central to any kind of password protection plan your business adopts.

Protecting information should be simple. Store everything in a file, restrict access to people who know the password to that file, and rest assured that it's safe. As more than a few businesses have learned, however, it's rarely that simple. Password cracking has become serious business in the world of data hacking. Strictly, cracking is the process of figuring out a user's password to gain access to a system. It isn't always wrong, as in the case of recovering a lost or forgotten password without admin privileges, but it can easily be turned to subverting even the tightest password protection regimen.

One method of cracking involves a brute force attack. This is as simple as connecting the hacker's computer to the targeted system and trying every possible password until the right one turns up. This was one of the earliest methods of subversion, and today it's easily countered by password protection protocols that limit the number of attempts that can be made on any given account, usually by locking out the user after three failed submissions. Hackers have responded to this by developing programs that will log into and out of systems between attempts, which zeros out the counts and lets them keep trying.

All the same, even a simple password protection setup will have a range of potential passwords in the trillions or above. The number of permutations is increased further by requiring users to choose passwords that are theoretically hard to guess or don't appear in the dictionary, usually by incorporating numbers. Unauthorized parties have responded to this by what hacker godfather Kevin Mitnick called social engineering. Social engineering is as simple as calling somebody in the target institution and asking for a password reset. As absurd as it sounds, the ultimate weapon in the hands of high-tech hackers is usually the word "please."

As sophisticated as password protection regimens get, and as complex as the programs to break them are, the real weakness in any secure system is the users themselves. The struggle between infiltrators and guardians has risen to such a level of sophistication, with some password cracking programs running tens of billions of attempts per second, that the final word in hacking turns out to be the low-tech solution of digging through the garbage for a company-wide directory and calling the right person.

Basic password protection is central to any institution's data security setup. Of course, the most sophisticated password protection technology in the world is useless in the hands of an authorized user who chooses the word password as a password, which is why continuous training and awareness are ultimately the best forms of defense.

(Photo courtesy Salvatore Vuono / freedigitalphotos.net)

Comment

Become a member to take advantage of more features, like commenting and voting.

Jobs to Watch