To keep passwords secret, they are never stored in plain text, but as an encrypted password hash. If an attacker gets access to the password file, he does not get a list of all the passwords. There is no way to look at the hash and calculate the password used to create the hash. However, the hash can be used to break into your system.

To hack your password, cracking software can use intelligent guessing. It works if your password is an easy one. At first the password cracking tool tries all the dictionary words, then it tries so called "heuristic attack" that uses known password creation tendencies. For example, the tool checks dictionary words with extra characters at the beginning or end of the word.

1. Your password must not be easy to guess. It must contain a varied set of characters including special characters and numbers.

If intelligent guessing does not help, "brute force" attack may be used. It works this way:

  1. Learn what algorithm was used to create the hash.
  2. Make a guess at what the password might be.
  3. Use the hash algorithm to create the guess hash.
  4. Compare the guess hash to the password hash.
  5. If no luck, repeat steps 1-4. If the guess hash is equal to the password hash, the attacker has guessed the password.

If the attacker does not have the password hash, he may try to enter a guess into the system. However, most systems are protected against this and do not allow entering numerous wrong passwords within a short period of time.

Given enough time, brute force can crack any password. However, the longer your password is, the more difficult it is to crack.

2. Make your password long. The longer, the better. Consider pass phrases instead of passwords.

The most time consuming part of guessing the password is step 3 (calculating the guess hash from the guess). However, there is a solution. Calculate all the hashes for a given algorithm one time and then store them for a later use. The idea is not new. People used to have giant lists of pre-hashed passwords to check against (more than 100 GB of data to check a typical password containing 1-7 characters, lowercase letters only).

Here comes Rainbow Crack. It does not calculate every single hash. It uses rainbow tables. According to cryptographer Zhu Shuanglei, the developer of Rainbow Crack, it will take 2 days and 18 hours to generate the rainbow tables to crack a lowercase-letters-only Windows (LM hash) password that is 1-7 characters long. After that it will take only 74 seconds to crack a password on a modest machine. Very impressive, isn't it? But it does not work, if the attacker does not have your hash file to compare guess hash to the password hash.

3. Password cracking tools need password hash. If they don't get the hash, they cannot crack the password. Protect password files like SAM, ndis.dit, shadow, and .htpasswd. Access to these files means full access to your system.

If you back up the Windows registry, it's a good idea to protect the backup file. If you use a third party backup program, make sure the backup files do not contain hash files. Limit the use of administrative-level accounts. Physically protect computers. An attacker can reboot your PC into another operating system and copy the password database.

And once again: implement a strong password policy. Try to use less common characters when composing a password. Make your passwords longer. Consider pass phrases.

For more information, see Creating a Strong Password