Passwords to access computer systems are stored in some form in a database to the system to perform password verification. To enhance the privacy of the passwords, the password verification data stored usually occurs when applying a round function to the password, possibly in combination with other available data. For simplicity of discussion, when one-way function does not incorporate a secret key, not the password, we refer to the function so that was used as a hash and its output as a hashed password. Although the functions that create hashed passwords may be cryptographically secure, possession of a hashed password provides a quick way to check guesses the password by applying the function of each guess, and comparing the result of verification of data. The most widely used hash functions can be calculated quickly and the attacker can do this repeatedly with different guesses until a valid match is found, ie, the plaintext password has been recovered.
The term password cracking is typically limited to recovery of one or more plaintext passwords from hashed passwords. Password cracking requires that an attacker can gain access to a hashed password, either by reading the database password verification or intercepting a hashed password sent over an open network, or have another way to quickly and limit test, if the password is guessed correctly. Without the hashed password, the attacker can attempt to access the computer system in question with guessed passwords. However well designed systems limit the number of failed login attempts and can alert administrators to track the source of attack, if you exceed that quota. With the hashed password, the attacker can work undetected, and if the attacker has obtained several hashed passwords, the chances of cracking at least one is quite high. There are many other ways of obtaining passwords illicitly, such as social engineering, the registration of wiretapping, keystrokes, login spoofing, dumpster diving, timing attack, etc. However, cracking usually designates a guessing attack.
Cracks can be combined with other techniques. For example, a method using hash-based authentication challenge-response password verification can provide a hashed password to a spy who can crack the password. A series of stronger cryptographic protocols exist that do not expose hash passwords during verification over a network, either for their protection in the transmission through a high quality key, or by using a key test of zero knowledge.
October 04, 2011, 10:12:50 AM