Page 130


Undergound. Go to Table of Contents.

   cracker run faster.

  

   An efficient password cracker was a valuable tool. Electron would feed

   his home computer a password file from a target computer, say from

   Melbourne University, then go to bed. About twelve hours later, he

   would check on his machine's progress.

  

   If he was lucky, he would find six or more accounts--user names and

   their passwords--waiting for him in a file. The process was completely

   automated. Electron could then log into Melbourne University using the

   cracked accounts, all of which could be used as jumping-off points for

   hacking into other systems for the price of a local telephone call.

  

   Cracking Unix passwords wasn't inordinately difficult,

   provided the different components of the program, such as the

   dictionary, had been set up properly. However, it was time-consuming.

   The principle was simple. Passwords, kept in password files with their

   corresponding user names, were encrypted. It was as impossible to

   reverse the encryption process as it was to unscramble an omelette.

   Instead, you needed to recreate the encryption process and compare the

   results.

  

   There were three basic steps. First, target a computer and get a copy

   of its password file. Second, take a list of commonly used passwords,

   such as users' names from the password file or words from a

   dictionary, and encrypt those into a second list. Third, put the two

   lists side by side and compare them. When you have a match, you have

   found the password.

  

   However, there was one important complication: salts. A salt changed

   the way a password was encrypted, subtly modifying the way the DES

   encryption algorithm worked. For example, the word `Underground'

   encrypts two different ways with two different salts: `kyvbExMcdAOVM'

   or `lhFaTmw4Ddrjw'. The first two characters represent the salt, the

   others represent the password. The computer chooses a salt randomly

   when it encrypts a user's password. Only one is used, and there are

   4096 different salts. All Unix computers use salts in their password

   encryption process.

  

   Salts were intended to make password cracking far more difficult, so a

   hacker couldn't just encrypt a dictionary once and then compare it to

   every list of encrypted passwords he came across in his hacking

   intrusions. The 4096 salts mean that a hacker would have to use 4096

   different dictionaries--each encrypted with a different salt--to

   discover any dictionary word passwords.

  

   On any one system penetrated by Electron, there might be only 25

   users, and therefore only 25 passwords, most likely using 25 different

   salts. Since the salt characters were stored immediately before the

   encrypted password, he could easily see which salt was being used for

   a particular password. He would therefore only have to encrypt a

   dictionary 25 different times.

  

   Still, even encrypting a large dictionary 25 times using different

   salts took up too much hard-drive space for a basic home computer. And

   that was just the dictionary. The most sophisticated cracking programs

   also produced `intelligent guesses' of passwords. For example, the

   program might take the user's name and try it in both upper- and

   lower-case letters. It might also add a `1' at the end. In short, the

   program would create new guesses by permutating, shuffling, reversing