CUFP
Limbic~Region
All,
<br />
I recently encountered a situation where strong passwords that were changed regularly weren't very strong at all for anyone who knew the "standard format". Before I show the code, I will demonstrate the math.
<p>
If you use upper/lower case letters, numbers, and just 10 special characters, each position in a password can have 72 possible values. If you require an 8 character password, this is 722_204_136_308_736 possible passwords. If you use a standard format for passwords to make them easier to remembering, you may be dramatically reducing that keyspace.
</p>
<p>
In this hypothetical example, 'a5X11y%B' may be one of the passwords generated but you only need to know 'a5X1' to know the whole password. Let me explain:
<ul>
<li>The 1st character is always lowercase a-z</li>
<li>The 2nd character is always a number 0-9</li>
<li>The 3rd character is always uppercase A-Z</li>
<li>The 4th character is always a number 0-9</li>
<li>The 5th character is always the 4th character</li>
<li>The 6th character is always the next lowercase letter after the 3rd character</li>
<li>The 7th character is always the special character associated with the number of the 2nd character</li>
<li>The 8th character is always the next uppercase letter after the 1st character</li>
</ul>
This has a key space of 26 * 10 * 26 * 10 = 67_600 and can easily be cracked using brute force.
</p>
<READMORE>
<CODE>
#!/usr/bin/perl
use strict;
use warnings;
use Algorithm::Loops 'NestedLoops';
use Win32::OLE;
my $file = $ARGV[0] or die "Usage: $0 <file>"; # Important to use full path
# Win32::OLE Example Program
my $word;
eval {$word = Win32::OLE->GetActiveObject('Word.Application')};
die "MSWord not installed" if $@;
$word = Win32::OLE->new('Word.Application') or die "Can't start Word" if ! defined $word;
$word->{Visible} = 1;
my @key = (['a' .. 'z'], [0 .. 9], ['A' .. 'Z'], [0 .. 9]);
my $next = NestedLoops(\@key);
while (my @half = $next->()) {
my $pass = Gen_Pass(@half);
my $doc = $word->{Documents}->open({
'FileName' => $file,
'PasswordDocument' => $pass,
});
next if ! defined $doc;
print "$pass\n", last;
}
sub Gen_Pass {
my @pass = @_;
my %conv = (
1 => '!', 2 => '@', 3 => '#', 4 => '$', 5 => '%',
6 => '^', 7 => '&', 8 => '$', 9 => '(', 0 => ')',
);
my ($third, $first) = @pass[2, 0];
push @pass, $pass[-1]; # Duplicate the 4th number
push @pass, lc substr(++$third, 0, 1); # Increment 3rd char and lc it
push @pass, $conv{$pass[1]}; # Convert 2nd num to a spec char
push @pass, uc substr(++$first, 0, 1); # Increment 1st char and uc it
return join '', @pass;
}
</CODE>
</READMORE>
I do <b>not</b> endorse this type of activity for any other purpose then to help educate and institute change in policy. This is a contrived example and does not represent the "format" I actually saw. I was able to whip up less than 15 lines of code using [cpan://Win32::OLE] and [cpan://Algorithm::Loops] and found the password in approximately 10 minutes. The policy on passwords is changing as a result.
<div class="pmsig"><div class="pmsig-180961">
<p>
Cheers - [Limbic~Region|L~R]
</p>
</div></div>