where N is the number of possible symbols and L is the number of symbols in the password. H is measured in bits. In the last expression, log can be to any base.
Wikipedia source : Password Strength
What is Password Cracking?
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. Another common approach is to say that you have “forgotten” the password and then change it.
The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges), to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords. On a file-by-file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file’s access is restricted.
Time needed for password searches: The time to crack a password is related to bit strength (see password strength); which is a measure of the password’s information entropy. Most methods of password cracking require the computer to produce many candidate passwords, each of which is checked. One example is brute-force cracking, in which a computer tries every possible key or password until it succeeds. More common methods of password cracking, such as dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force. Higher password bit strength increases exponentially the number of candidate passwords that must be checked, on average, to recover the password and reduces the likelihood that the password will be found in any cracking dictionary.
Incidents: On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. By the time they were discovered, they had already cracked 47,642 passwords.
In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The hacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the internet. Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability. The Imperva Application Defense Center (ADC) did an analysis on the strength of the passwords.
In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data were leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary.
On July 11, 2011, Booz Allen Hamilton, a large American Consulting firm that does a substantial amount of work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. “The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel—including personnel from USCENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors.” These leaked passwords wound up being hashed in Sha1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the pa ssword requirements.
On July 18, 2011, Microsoft Hotmail banned the password: “123456”.
Prevention: The best method of preventing password cracking is to ensure that attackers cannot get access even to the hashed password.
Wikipedia source : Password Cracking