Enabling Compliance with Password Policies
Mandylion Research Labs
  Main | Products | Purchase | Regulatory Compliance | Company Info | News

How Passwords Get Cracked
As with all information security breaches, exploitation of the vulnerabilities inherent in a system is the name of the game in defeating its safeguards. With modern password hacking tools, exploiting these vulnerabilities is basically an automated process. A cracking or password auditing utility can obtain the password hashes via either sniffing or targeting host files and then either matching the encryption pattern via a look up or a brute force attack. read more

Major Misconception-3 Try Lockout
A major misconception about password hacking is that most people feel they are not vulnerable to a "brute force" style password attack. They are. This is because they incorrectly believe that a hacker has, at most, just a few attempts at guessing their password before they are shut out of the login process. read more

You can instantly get just about anyone’s humanly generated password with widely available shareware cracking tools.




How Much Are Passwords Costing You?
Forget about the security aspects of passwords. For a moment, focus on their costs to your organization. That’s right, their direct and recurring costs to your organization. Although they appear free, passwords cost your organization a material portion of its IT support budget. more info
Strong Passwords?
Think your passwords are strong enough to survive a brute force attack?

Think again. The keyspace (number of possible combinations) created by even the most creative human mind is no match for password audit tools (crackers) such as L0phtcrack 5 (LC5) (www.@stake.com) (now owned by Symantec) running on today's desktop machines. Even the simplest of these tools now contain 99% of all possible English alphanumeric password combinations. These tools are clever, stealthy and lethal. Worse yet, they are widely available for download on the net.

Password Cracking Tools
According to @stake, the Rolls Royce of password auditing tools, their LC5 “password auditing tool” includes pre-computed password tables containing trillions of password hashes that have been computed in advance of the password auditing and recovery process. Trillions. That’s right, Trillions.

A “strong”, humanly generated 8 character password consisting of a few upper and lower case letters, a couple of numbers and a special character or two approaches approximately only 100 billion combinations. Simply put, running a password auditing tool to decode a humanly generated password’s hash is as fast and automated an exercise as spell checking an email.

What does this all mean?
It means that a hacker unethically using these tools can pretty much instantly decode any password less than 8 characters as long as he somehow sniffs or captures your encoded password being passed or stored at the host/client.

It means that even if you take care to use more than 8 characters in the passwords; even if its generated in accordance with strong policy which incorporates the use of symbols and characters and numbers; even if its changed regularly and not used concurrently elsewhere, your "strong" password is simply no contest for today's password cracking tools.

Modern Password Generators Thwart Cracking Tools
Only purely random passwords, generated by special purpose generator tokens, drawing from the largest ASCII character sets available can keep a step ahead of these cracking programs.

Download our BruteForce Attack Time Estimator (excel template) and see for yourself an estimate of how fast a password is hacked by these widely available tools running on today's desktops.

© 1999 - 2006, Mandylion Research Labs, LLC. All rights reserved.