#!# How a password works //General/Education

Today, in this guide I shall show you how a password works, as an example we will be using Micro$oft's LM algorithm.

About this guide::
In this guide I am going to explain (not demonstrate) how a password works, how breaking a password works (again, no demonstrations) and I hope the outcome of this guide will show you WHY it is important to build a strong password.
​

<guide>

First we begin, For examples I will be using the LM algorithm because most of you probably use it. To be clear, I will not specify how to obtain LM hashes, where they are stored, or how they are cracked.

What is a password?​

A password exists as 2 parts. First you have plaintext which is encrypted to become ciphertext.

It works like this::

Plaintext ==> (encryption algorithm) ==> Ciphertext​

The ciphertext is also called a hash. Basically what happens is when you take your password (from now on our example password will be 'hello123') and it gets pushed through an encryption algorithm, which in turn spits out the ciphertext.

So if your windows password for example, was 'hello123' the LM encrypter would translate that to: 0BEEA40070BB64AA1AA818381E4E281B.

As you can see, that is pretty freaking messy... but hello124 is 0BEEA40070BB64AAFF17365FAF1FFE89!

Not the most subtle difference is it?

How a cracker works​

Essentially what a cracker does is it will keep trying combinations of letters, numbers and characters untill it gets a matching hash.

So for example, your LM hash of: 0BEEA40070BB64AA1AA818381E4E281B
is the only thing standing between you and somebody trying to access your account. There are a lot of different means of cracking a password (which we will not be discussing) but the goal is to get that same hash. When that hash has been duplicated the entry responsible for making it MUST be the password.

However, this is not always true, take the md5 hash for example, it is often used to make sure a program you downloaded, or a file is EXACTLY the same, and has not been corrupted via transfer. But 1 out of every 5,000,000 hashes will be a false duplicate. i.e. the ciphertext is the same but the plaintext isn't.

Why it is important to build a strong password::​

A strong password isn't just for guess-ability. It is to protect your password from being cracked! Password cracking isn't usually a quick easy process (unless your password sauks) for example, a crack of hello123 may only take 5 minutes when a crack of He||0123 would take days. There are methods of making this process faster (not discussing it) but if your password includes good characters, capitolized letters, lowercase letters, and numbers you will get a password that would take a retarded ammount of time (up to billions of years) to crack. And will thwart and waste the efforts out of whoever is attacking your hash.

</guide>

I hope this guide is helpful and helps the user understand how a password works. As well, helps the user understand the importance of using a good password and why it is so important.

Sincerely, 1ce​

 

Seems like a government document with all the, "I will not say it". I mean, not to flame or anything but jeez I just felt like you were constantly telling us how you are NOT going to tell use how to crack a password.

 

Yea, that's exactly right, I can't tell you how to crack a password. Check CS rules for posting guides. NO CRACKING. I'd love to, really the best way to demonstrate how it works is from the other side but my hands are tied here.

This guide is about how passwords work, Not about password cracking. (As mentioned in the title/About section of this guide).

Sorry, 1ce
​

 

I hope i know how to crack password haha nice information about passwords thanks very much for clearing this up

 

Why would you want to know how to crack passwords?

OT - Pretty good guide, I had no idea passwords worked like that.

 

should of used MD5 encrypting as your example as most runescape server will use it and most Java apps including passwords. I think the basics are there so nice guide.

 

RS doesn't use md5, they use SHA512 $alt exempt, md5 is also fallible I thought LM was the best choice due to it's simplicity/practicality.