Altering the Way a System Generates Passwords

Not all passwords are supplied by users. Some are generated by a computer system or password generators. For example, many Internet Service Providers (ISPs) and corporates give first-time users a randomly generated password (and sometimes a random user name as well), which gets the person online. Then the user changes the log-on information to their own preference.

By learning how a certain system's randomizer works or how the IT Department assign new user IDs and passwords, the hacker can imitate the generation of valid passwords, or alter how the system operates.

A good example of how manipulating a randomizer works is as follows. Dennis Ritchie, who helped develop UNIX technology, reported how a hacker attacked one company's system. Computer officials at the company had their system generate passwords, each eight characters long, mixing letters and digits. In a brute force attack, it should have taken 112 years to crack the nearly 3 trillion possibilities.

However, the randomizer on the company system could only take 32,768 seeds for passwords. The hacker used his own machine to generate and test each of those combinations, using, according to Ritchie, "a total of only about one minute of machine time." In less time than the average commercial break runs on television, the hacker breached a seemingly impenetrable system.

A Guide To Computer Crime
Altering the Way a System Generates Passwords Not all passwords are supplied by users. Some are generated by a computer system or password generators. For example, many Internet Service Providers (ISPs) and corporates give first-time users a randomly generated password (and sometimes a random user name as well), which gets the person online. Then the user changes the log-on information to their own preference. By learning how a certain system's randomizer works or how the IT Department assign new user IDs and passwords, the hacker can imitate the generation of valid passwords, or alter how the system operates. A good example of how manipulating a randomizer works is as follows. Dennis Ritchie, who helped develop UNIX technology, reported how a hacker attacked one company's system. Computer officials at the company had their system generate passwords, each eight characters long, mixing letters and digits. In a brute force attack, it should have taken 112 years to crack the nearly 3 trillion possibilities. However, the randomizer on the company system could only take 32,768 seeds for passwords. The hacker used his own machine to generate and test each of those combinations, using, according to Ritchie, "a total of only about one minute of machine time." In less time than the average commercial break runs on television, the hacker breached a seemingly impenetrable system.	Practitioner.Com: An Introduction to Computer Crime
Return To An Introduction to Computer Crime