Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Password
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Password cracking== {{Main|Password cracking}} Attempting to crack passwords by trying as many possibilities as time and money permit is a [[brute force attack]]. A related method, rather more efficient in most cases, is a [[dictionary attack]]. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested. [[Password strength]] is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Cryptologists and computer scientists often refer to the strength or 'hardness' in terms of [[Entropy (information theory)|entropy]].<ref name="SS1" /> Passwords easily discovered are termed ''weak'' or ''vulnerable''; passwords difficult or impossible to discover are considered ''strong''. There are several programs available for password attack (or even auditing and recovery by systems personnel) such as [[L0phtCrack]], [[John the Ripper]], and [[Cain (software)|Cain]]; some of which use password design vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users. Studies of production computer systems have consistently shown that a large fraction of all user-chosen passwords are readily guessed automatically.<ref>{{Cite journal |last=Morris |first=R. |last2=Thompson |first2=K. |title=Password Security: A Case History |journal=Communications of the ACM |volume=22 |issue=11 |pages=594–597 |year=1979 |url=https://rist.tech.cornell.edu/6431papers/MorrisThompson1979.pdf |access-date=April 30, 2025}}</ref> For example, Columbia University found 22% of user passwords could be recovered with little effort.<ref>{{cite web |url=http://www.cs.columbia.edu/~crf/howto/password-howto.html |title=Password |access-date=20 May 2012 |url-status=bot: unknown |archive-url=https://web.archive.org/web/20070423015011/http://www.cs.columbia.edu/~crf/howto/password-howto.html |archive-date=23 April 2007 }}. cs.columbia.edu</ref> According to [[Bruce Schneier]], examining data from a 2006 [[phishing]] attack, 55% of [[MySpace]] passwords would be crackable in 8 hours using a commercially available Password Recovery Toolkit capable of testing 200,000 passwords per second in 2006.<ref>[http://www.schneier.com/blog/archives/2006/12/realworld_passw.html Schneier, Real-World Passwords] {{webarchive|url=https://web.archive.org/web/20080923065435/http://www.schneier.com/blog/archives/2006/12/realworld_passw.html |date=23 September 2008 }}. Schneier.com. Retrieved on 20 May 2012.</ref> He also reported that the single most common password was ''password1'', confirming yet again the general lack of informed care in choosing passwords among users. (He nevertheless maintained, based on these data, that the general quality of passwords has improved over the years—for example, average length was up to eight characters from under seven in previous surveys, and less than 4% were dictionary words.<ref>[https://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300 MySpace Passwords Aren't So Dumb] {{webarchive|url=https://web.archive.org/web/20140329222517/http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300 |date=29 March 2014 }}. Wired.com (27 October 2006). Retrieved on 2012-05-20.</ref>) ===Incidents=== * On 16 July 1998, [[CERT Coordination Center|CERT]] reported an incident where an attacker had found 186,126 encrypted passwords. At the time the attacker was discovered, 47,642 passwords had already been cracked.<ref name="CERT IN-98.03">{{cite web | url=http://www.cert.org/incident_notes/IN-98.03.html | title=CERT IN-98.03|date=16 July 1998 | access-date=9 September 2009}}</ref> * In September 2001, after the deaths of 658 of their 960 New York employees in the [[September 11 attacks]], financial services firm [[Cantor Fitzgerald]] through [[Microsoft]] broke the passwords of deceased employees to gain access to files needed for servicing client accounts.<ref name=NYTimes20141123/> Technicians used brute-force attacks, and interviewers contacted families to gather personalized information that might reduce the search time for weaker passwords.<ref name=NYTimes20141123>{{cite news |last1=Urbina |first1=Ian |last2=Davis |first2=Leslye |title=The Secret Life of Passwords |url=https://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html |website=The New York Times |archive-url=https://web.archive.org/web/20141128194319/http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=0 |archive-date=28 November 2014 |date=23 November 2014 |url-status=live }}</ref> * In December 2009, a major password breach of the [[RockYou|Rockyou.com]] website occurred that led to the release of 32 million passwords. The hacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the Internet. Passwords were stored in cleartext in the database and were extracted through a SQL injection vulnerability. The [[Imperva]] Application Defense Center (ADC) did an analysis on the strength of the passwords.<ref>{{cite web |url=http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf |title=Consumer Password Worst Practices (pdf) |url-status=live |archive-url=https://web.archive.org/web/20110728180221/http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf |archive-date=28 July 2011 }}</ref> * In June 2011, [[NATO]] (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data was leaked as part of [[Operation AntiSec]], a movement that includes [[Anonymous (group)|Anonymous]], [[LulzSec]], as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary.<ref>{{cite web|url=https://www.theregister.co.uk/2011/06/24/nato_hack_attack/|access-date=24 July 2011|title=NATO site hacked|work=The Register|date=24 June 2011|url-status=live|archive-url=https://web.archive.org/web/20110629094635/http://www.theregister.co.uk/2011/06/24/nato_hack_attack/|archive-date=29 June 2011}}</ref> * On 11 July 2011, [[Booz Allen Hamilton]], a consulting firm that does work for [[the Pentagon]], had their servers hacked by [[Anonymous (group)|Anonymous]] and leaked the same day. "The leak, dubbed 'Military Meltdown Monday,' includes 90,000 logins of military personnel—including personnel from [[United States Central Command|USCENTCOM]], [[United States Special Operations Command|SOCOM]], the [[United States Marine Corps|Marine corps]], various [[United States Air Force|Air Force]] facilities, [[Homeland Security]], [[United States State Department|State Department]] staff, and what looks like private sector contractors."<ref>{{cite web |url=https://gizmodo.com/5820049/anonymous-leaks-90000-military-email-accounts-in-latest-antisec-attack |title=Anonymous Leaks 90,000 Military Email Accounts in Latest Antisec Attack |work=Gizmodo |date=11 July 2011 |url-status=live |archive-url=https://web.archive.org/web/20170714072831/http://gizmodo.com/5820049/anonymous-leaks-90000-military-email-accounts-in-latest-antisec-attack |archive-date=14 July 2017 |last1=Biddle |first1=Sam }}</ref> These leaked passwords wound up being hashed in SHA1, and were later decrypted and analyzed by the ADC team at [[Imperva]], revealing that even military personnel look for shortcuts and ways around the password requirements.<ref>{{cite web |url = http://blog.imperva.com/2011/07/military-password-analysis.html |title = Military Password Analysis |date = 12 July 2011 |url-status = live |archive-url = https://web.archive.org/web/20110715004047/http://blog.imperva.com/2011/07/military-password-analysis.html |archive-date = 15 July 2011 }}</ref> * On 5 June 2012, a security breach at [[LinkedIn]] resulted in 117 million stolen passwords and emails. Millions of the passwords were later posted on a Russian forum. A hacker named "Peace" later offered additional passwords for sale. LinkedIn undertook a mandatory reset of all compromised accounts.<ref>{{cite web |title=2012 Linkedin Breach had 117 Million Emails and Passwords Stolen, Not 6.5M - Security News |url=https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/2012-linkedin-breach-117-million-emails-and-passwords-stolen-not-6-5m |website=www.trendmicro.com |access-date=11 October 2023 |language=en |date=18 May 2016}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)