How hackers crack software

How to crack your forgotten password

Peter Stelzel-Morawietz & Roland Freist

Fritzbox or Windows password, online account or Android - no matter which password you have forgotten or lost, this is how you crack lost passwords.

The preliminary remark is important: This article is not about spying on or intercepting passwords in order to gain access to third-party data - expressly not as a "desired side effect"! Rather, we want to show you how you can get your data back for common devices, software, encrypted data formats and online accounts if you have locked yourself out.

That is not at all unlikely, because even after a two-week vacation, some PC users should no longer be able to remember their Windows password. Not to mention a zip archive that was encrypted years ago or the various Internet access points that have accumulated over the years. And if you don't always use the same password - which is strongly discouraged - or organize your access codes perfectly, you need help with remembering or resetting.

See also:The best tricks for a strong password

Passwords: the strength, the crack risk and some theory

The security of passwords and thus the risk of your own access codes being cracked is an extremely complex matter. Beyond all theory, developments in recent years have had a significant impact on the likelihood that your passwords will be outwitted and that personal data, shopping accounts or even your entire digital identity will be obtained. A long password with various tricks is only supposedly secure - we'll show you why.

On the one hand, the available performance of a small network of computers with two dozen graphics cards is so great that even an eight-digit password can be cracked after a few hours simply by trying it out. It can now be argued that increasing the password length drastically increases the number of attempts and thus the time for such a brute force attack.

That is true, but only in theory. The hackers have long been using other methods, and even rainbow tables, which have already stored a large number of password hash values ​​and thus considerably shortened the time for an attack, have lost their importance.

EnlargeIn recent years, numerous large companies have stolen customer data, including passwords. All the patterns used have long been stored in "dictionaries" for spying on.

Lists with access codes accelerate the hacker attacks

Not least because of the numerous online break-ins in recent years, in which the data of millions of customers was partly stolen with the access codes in plain text and later leaked, a vast number of common passwords are known.

You only need to combine these with multilingual, complete dictionaries in order to then carry out attacks with these “most likely” expressions: A few million expressions are processed faster than a quadrillion systematic attempts. But that's not all, because the captured lists also show much-used patterns. Simple phrases like "12345 ..", "Password" or the names of partners, children or pets are on the decline, but simple changes to common words and other patterns are still the order of the day. For example, the replacement of letters according to the “1337 Speak pattern” is popular: The “pocket calculator” then becomes “745ch3nr3chn3r”, and even the frequently used extension with the service or domain name would result in an expression at the online retailer Amazon 21 positions. Such an access code is still of little value because such “rules” have long been taken into account in dictionaries.

In addition, there are insecure systems: Android blocks the lockscreen for only 30 seconds if an incorrect unlock code is entered five times. If the entries are made automatically, a 4-digit combination is outwitted after 17 hours at the latest. The keyboard robot USB Rubber Ducky (35 euros) does this automatically. Only the new Android version 6.0 ("Marshmallow") increases the protection somewhat; iOS and Windows Phone are much safer here.

EnlargeThe USB Rubber Ducky acts as a programmable keyboard and can systematically attack not only PCs, but also smartphones and tablet PCs.

Locked Out: How to Reset Your Online Account Passwords

We have now presented some background information on passwords, including attacks, and the box below explains the various options for creating passwords. Now it's about resetting passwords. A common and at the same time simple case are online accounts from A for Amazon to Z for Zattoo. All these services allow the password to be reset via the stored email address. The individual link then contained in an automatically generated message gives the user the opportunity to set a new access code. This illustrates the central importance of the mailbox used: if an attacker knows the password for this account, he can easily access other services using the reset function. Choose particularly secure protection here.

In addition, there are other fallback mechanisms such as generating a security code via app or sending via SMS. This is a way that is independent of the PC and the Internet. Google and other companies even allow such a two-factor login as a standard method; it can be set up in the account settings. On the other hand, standard questions, i.e. questions about your favorite food, the name of your mother or the primary school, offer hardly any effective protection. Because the answers - provided you answer them truthfully - are often easy to find out through social engineering.

EnlargeLike many other Internet services, Google offers the option of additionally securing online accounts using an SMS code on a previously specified telephone number.

On the one hand, forgotten access codes for online services can be easily reset and thus “cracked”, on the other hand, unlike offline attacks, companies quickly notice systematic attacks because they run through their infrastructure. Significantly more danger threatens when thieves break into the IT systems of such companies, steal customer data and then attack them offline without being noticed. Here you have all the tools and time in the world.

Web authentication:Why the password won't die out anytime soon

Hacker paragraph: tools to crack allowed?

According to Section 202c of the Criminal Code, spying on or intercepting passwords with the aim of gaining access to further data is prohibited. This also applies to the corresponding software: Anyone who creates computer programs, the purpose of which is the commission of such an act, procures, sells, leaves, disseminates or otherwise makes accessible to another person is punished with imprisonment for up to one year or with a fine, it says in the current criminal code ("hacker paragraph").

Then aren't all of the cracking tools listed illegal? No, the Federal Constitutional Court ruled. "Dual Use Tools", which can be used both for the security analysis of networks and for the commission of criminal offenses according to the provisions of the Criminal Code, do not represent suitable objects in the sense of § 202c. This type of software was not developed with the intention of doing so The Karlsruhe judges ruled that they were to be used for spying on or for intercepting data. However, you may only use the software to crack your own passwords - otherwise you will be liable to prosecution!

Microsoft Office password cracker

Word, Excel and Powerpoint offer to encrypt a document and to provide it with a password, without which it cannot be opened. To do this, click on “File” in the current versions and then in the “Information” section you will find the command “Protect Document” (Word), “Protect Workbook” (Excel) or “Protect Presentation” (Powerpoint). Please select the option "Encrypt with password" to save the file.

This password protection has been around in Office for a long time. Up to version 2003 he used a 40-bit long key that could be cracked relatively quickly. From version 2007 Microsoft built in the encryption method AES-128 with the hash function SHA-1. Since Office 2013, the programs have been using AES-128 with SHA-2, an encryption that can only be cracked with considerable effort. For this reason, the available password crackers for the most part only work with the older versions of the Office files.

Warning: cost traps