How is password cracking done?

Password as we all know is some secret string of some characters that is typically used for the authentication purpose and as a means of identity proof.

WHAT IS PASSWORD?

- Password is way through which you access your some accounts and resources.
- A password is not meant for the other except the account holder.
- Passwords have been in use since ancient history and of course the password theft or cracking also!
- Nowadays passwords are more known for their use in the log in process to various systems like an operated system, ATMs, cell phones, email accounts and so on.
- It is not necessary that a password should be some meaningful word; rather it can be anything silly that is probably difficult to be guessed by the others.
- There are many types of passwords like passphrase (password formed by more than one word), PIN (personal identification number, numerical password).
- Passwords are again very much vulnerable since they are not as secure as their cryptographic counterparts i.e., protocols.
- These days password theft, password spoofing etc is quite common.

FACTORS AFFECTING THE SECURITY OF PASSWORD

Before we explain to how a password is cracked, you should know what all the factors affect the security of a password.

- Any password protected system is provided protection against the viruses, Trojans etc.
- Physical security measures like shoulder surfing are also implemented.
- Many a times less extreme measures are also used like:
1. Side channel attack
2. Extortion and
3. Rubber hose cryptanalysis

HOW SECURITY OF PASSWORD PROTECTED SYSTEM IS DETERMINED?

- The security of a password protected system is often determined by the rate at which the attacker or hacker can guess the password.

- To overcome this threat a “time out” of a few seconds can be implemented or a fixed number of chances should be given to type in the correct password.

- Many of the computer systems are now implementing these techniques.

- In some systems the cryptographic hash of the password gets stored which makes the password accessible to an attacker.

- The attacker can obtain the actual password from this hash password value.
- Passwords with high guessing rates are commonly used for cryptographic keys generation process.

HOW PASSWORD CRACKING IS DONE?

- Password cracking is recovering of the passwords from the stored or transmitted data in a computer system.
- There are many approaches developed to crack a password:

1. Guessing
This is perhaps the most common approach and does not require any special skills.

2. Changing the password
This method is second on the list of password cracking methodologies. When a user forgets his/ her password, the system allows the changing of the password following an authentication process.

3. Brute force cracking
This type of cracking involves trying every possible password till the right one is achieved.

4. Dictionary attacks
This method is also very much common and involves trying of the candidate passwords using a cracking dictionary.

5. Pattern checking
6. Word list substitution

PURPOSE FOR PASSWORD CRACKING

- The purpose for the cracking of password can be a positive one, for example, the user of a particular account might have forgotten his password and could not access his account.
- The purpose for the cracking of password can be negative one i.e., for gaining unauthorized access to a computer system, mischief purposes etc.

Time taken to crack a password is directly proportional to the strength of its character set or bits.
- The complex a password, the longer it will take to crack it.
- In some password cracking processes, the system is made to generate the similar types of passwords.
- Such passwords are called candidate passwords.
- Password cracking rate depends on the availability of the hash and the limitations of the software authentication.

Explain the concepts of password cracking?

Password cracking is one of important and most sought after concepts under the category of computer security and crypt analysis. Password cracking is such a term that is self explanatory i.e., we can make out from the term itself that it is all about recovering the passwords.

The passwords can be recovered from the data that is transmitted and stored by a computer system or network. Till date many approaches have been formulated for the cracking of passwords.

APPROACH FOR PASSWORD CRACKING

- The most common approach which is still so much in use is repeated guessing of the password till one gets the right one.

- Nowadays passwords are more known for their use in the log in process to various systems like an operated system, ATMs, cell phones, email accounts and so on.

- It is not necessary that a password should be some meaningful word; rather it can be anything silly that is probably difficult to be guessed by the others.

- There are many types of passwords like passphrase (password formed by more than one word), PIN (personal identification number, numerical password).

- Passwords are again very much vulnerable since they are not as secure as their cryptographic counterparts i.e., protocols.

- These days password theft, password spoofing etc is quite common.

FACTORS AFFECTING THE SECURITY OF PASSWORD

- Any password protected system is provided protection against the viruses, Trojans etc.

- Physical security measures like shoulder surfing are also implemented.

- Less extreme measures are still so very in use namely Side channel attack,
Extortion and, Rubber hose crypt-analysis.

- It is not necessary that password cracking has always a bad reason behind it.

- There can also be some reasonable and genuine causes for cracking a password.

- The password cracking process usually takes much time depending up on the strength of its bits.

- The measure of the strength of the bits of a password give an indication about the information entropy of it.

- Many of the computer systems are now implementing these techniques.

- In some systems the cryptographic hash of the password gets stored which makes the password accessible to an attacker.

- The attacker can obtain the actual password from this hash password value.

- Passwords with high guessing rates are commonly used for cryptographic keys generation process.

HOW PASSWORD CRACKING IS DONE?

- To say it simply the password cracking is recovering of the passwords from the stored or transmitted data in a computer system.

- Passwords whether easy to remember or hard to guess always have a problem associated with them.

- The password which may seem easy to remember to the user often might also be easy
for an attacker to crack.

- On the other hand a difficult password is a contributing factor in reducing the security of the system since it has to be physically written and stored somewhere.

- In such cases the user tends to use the same password for a long time or to reset it again and again in case he/ she forgets it.

- All this stuff makes a system vulnerable and calls for more stringent security checks for password.

- There are several measures to increase the password strength like using a mixture of both lower case and upper case alphabets, numbers and special characters.

- But such kinds of measures only make the memorisation of these passwords more difficult.

- The best measure here to avoid such memory traps can be to design a personal algorithm for the generation of obscure passwords whenever you plan to change your password.

What are different error handling defects?

Errors are a major headache to the software programmers, developers as well as testers. They cause the whole software system or application to falter, produce unexpected results and behave abnormally. Some errors cause more harm while some cause less, some are easy to discover whereas some are hideous, some are as active and disruptive like a volcano and others are dormant. Therefore error handling becomes an important factor in deciding the success of a program.

WHAT IS MEANT BY ERROR HANDLING?
- Error handling is the way of a program to handle the errors that disturb its functioning.
- The error handling procedure should be very strong and smart.
- Error handling requires a lot decision making.
- The error handling process like other processes also is a victim of defects.

STEPS IN ERROR HANDLING PROCESS & DEFECT CAUSING FACTORS

1. The main steps involved in an Error handling process are namely detection, anticipation and resolution of the errors that occur during the execution of the software program or application.

2. Some applications even employ programs called “error handlers” developed specially for handling the errors.

3. A software system or application is said to have good error handling capabilities if it is able to recover from the errors without causing the whole program to terminate or if it is not able to handle that error, properly terminates the program without causing any data loss.

4. Such forceful termination is nothing but an error handling defect.

5. The basic factors causing the run time errors are invalid input data and adverse function parameters.

6. Lack of memory is another defect causing factor.

A Software application comprises of various small programs.These programs may conflict with each other during the run time. Similarly web applications also experience due to electrical noise and malware or undue pressure on the server.

ERROR HANDLING PROCESS
A software system or application can overcome these errors by its error handling process. But this error handling process also faces some risks from any defects in its source code. Thus we can define the error handling defects as the defects that reduce the efficiency of the error handling process.

1. On the initiation of the error handling process, the discrepancy between the expected behavior and actual behavior is identified.
2. Whenever there is some discrepancy in the behavior of the program, a defect is created.
3. The test script that was being executed at the time of encounter of the defect is tested.
4. This process is called defect creation.
5. After this, the discovered defect is verified i.e., whether or not the defect is valid.
6. A severity level is assigned to the defect.
7. This severity level indicates the impact and visibility of the defect on the program.
8. The defect can cause the core functionality to go out of order or stop working.
9. It can affect the operational environment.
10. Such defects prevent the user from accessing the features and functionalities of the software system or application.
11. Incorrect navigation links are also a defect.
12. According to the level of the severity the encountered errors can cause, they are assigned priorities.
13. This process is defect prioritization.
14. Several priority codes have been defined.
15. There are some defects that do not even allow the testing to take place.
16. Defects causing such errors are given the highest priority.
17. The defect is once again confirmed and this process is called defect confirmation.
18. After the defect confirmation the defect is analyzed, the affected code is redesigned, developed and tested again for any shortcomings.
19. This process following the defect confirmation is called defect resolution.
20. The defects after being resolved are once again reviewed by the developer and certain test scripts are run to confirm that the defect has been resolved.
21. After the verification the defect is closed.

What are different characteristics of resilience testing?

What does resilience mean? It’s important to know the meaning of resilience first because so many people confuse themselves with recovery, reliability and resilience. They think it’s all the same. But it is not so.

- Resilience means to recover from a change.
- It’s slightly different from recovery and reliability.
- Every software application or system has to have some degree of resilience in it in order to be more secure and recoverable and reliable.
- Resilience is a non functional requirement of a software system or application.
- Resilience testing falls under the category of non functional testing.

It is very common for the interchanging use of many non functional tests because of the overlapping in the scope between many non functional aspects or requirements.
One thing to be noted is that software performance is a broad and vast term and includes many specific requirements like scalability, reliability, compatibility, security and resilience.

Non functional testing contains the following testing techniques:
- Compliance testing
- Baseline testing
- Documentation testing
- Compatibility testing
- Load testing
- Localization testing
- Endurance testing
- Internationalization testing
- Recovery testing
- Performance testing
- Security testing
- Volume testing
- Usability testing
- Stress testing
- Scalability testing
- Resilience testing

Software system or application developers with disaster recovery plans or techniques are said to be actively and effectively engaged in reducing the risk of the software system or application crash, failure or data loss. But, the irony is that these disaster recovery plans become complacent.

This happens so because many of the software developers or testers have a false sense of security based on the existence of their disaster recovery plans. To ensure the safety of the software system or application the software developers need to test their data recovering strategies. Some software developers or testers feel this doesn’t applies to all programs because they conducted resilience testing when the software system or applications were put in place.

But one should always keep this in mind that the testing environment, the testing strategies and the range of cost effective solutions and tools available are always changing. It is required to keep pace with all these changes.

- The resilience testing strategies need to be tested and reviewed frequently in order to update for these changes.
- Some software developers and testers fear about the time and cost of test cases that give a better grade of tests and hence they are not able to put their good intention in to the practice and hence there remains a lack of resiliency in the software system or application.
- This does not necessarily means that each and every available test case should be implemented for testing the software system or application.

- There should be test plan for carrying out the resilience testing.
- A structured methodology always ensures that the amount of time consumed is minimum and the effectiveness of the testing is maximum.
- Resilience testing is some what similar to stability testing, fail over testing or recovery testing.
- Resilience testing is aimed at determining the behavior of the software system or application in the case of unreliable events, catastrophic problems and system failures, crashes and data losses.
- Resiliency is one of the core attributes of a good and reliable software system or application.
- Any software or hardware malfunctioning or failures are likely to have a considerable impact on the software system or application.

A software system needs to resilient against the following:
- Changes in requirements and specifications of the system.
- Hardware and software faults.
- Changes in data sources.

Resilience needs to be incorporated in the following stages of software development:
- Software design
- Hardware specification
- Configuration
- Documentation
- Testing

What are different characteristics of recovery testing?

Recovery testing itself makes clear what it is by through its name. We all know what recovery means. To recover means to return to the normal state after some failure or illness etc. This qualitative aspect is also present in today’s software system or applications.

- The recovery of a software system or application is defined as its ability to recover back form some hardware failure, crashes and similar such problems that are quite frequent with computers.
- Before the release of any software it needs to be tested for its recovery factor. This is done by recovery testing.
- Recovery testing can be defined as the testing of software system or application to determine its ability to recover fatal system crashed and hardware problems.

One should always keep one thing in mind which is that recovery testing is not to be confused with reliability testing since reliability testing aims at discovering the points at which the software system or application tends to fail.

- In a typical recovery testing, the system is forced to fail or crash or hang in order to check how the recovery asset of the software system or application is responding and how much strong it is.
- The software system or application is forced to fail in a variety of ways.
- Every attempt is made to discover the failure factors of the software system or application.

Objectives of Recovery Testing
- Apart from the recovery factor, the recovery testing also aims at determining the speed of recovery of the software system.
- It aims to check how fast the software system or application is able to recover from a failure or crash.
- It also aims to check how better the system recovers.
- It checks the quality of the recovered software system or application. There is some type and extent to which the software is recovered.
- The types and extent are mentioned in the documentation in the requirements and specifications section.
- Recovery testing is all about testing the recovering ability of the software system or application i.e., how well it recovers from the catastrophic problems, hardware failures and system crashes etc.

The following examples will further clarify the concept of recovery testing:

1. Keep the browser in runny mode and assign it multiple sessions. Then just restart your system. After the system has booted in, check whether the browser is able to recover all of the sessions that were running previously before the restart. If the browser is able to recover, then it is said to have good recovering ability.

2. Suddenly restart your computer while an application is in running mode. After the boot in session check whether the data which was being worked upon by the application is still integrate and valid or not? If the data is still valid, integrate and safe the application has a great deal of recovery factor.

3. Set some application like file downloader or similar to that on data receiving or downloading mode. Then just unplug the connecting cable. After a few minutes plug in the cable back and let the application resume its operation and check whether the application is still able to receive the data from the point where it was left. If its not able to resume the data receiving then its said to have a bad recovery factor.

Recovery testing tests the ability of application software to restart the operations that were running just before the loss of the integrity of the applications. The main objective of recovery testing is to ensure that the applications continue to run even after the failure of the system.

Recovery testing ensures the following:
- Data is stored in a preserved location.
- Previous recovery records are maintained.
- Development of a recovery tool which is available all the time.

What is Recovery Testing and what are its features.

Recovery testing tells how well an application is able to recover from a crash, hardware failure. Recovery testing should not be confused with reliability testing, which tries to discover the specific point at which failure occurs.
- Recovery is ability to restart the operation after integrity of application is lost.
- The time taken to recover depends upon the number of restart points, volume of application, training and skill of people conducting recovery activities and the
tools available for recovery.
- Recovery testing ensures that the operations can be continued after a disaster.
- Recovery testing verifies recovery process and effectiveness of recovery process.
- In recovery testing, adequate back up data is preserved and kept in secure location.
- Recovery procedures are documented.
- Recovery personnel have been assigned and trained.
- Recovery tools have been developed and are available.

To use recovery testing, procedures, methods, tools and techniques are assessed to evaluate the adequacy. Recovery testing can be done by introducing a failure in the system and check whether the system is able to recover. A simulated disaster is usually performed on one aspect of application system. Recovery testing should be carried for one segment and then on the other segment when there are many failures.

Recovery testing is used when the continuity of the system is needed inorder for system to perform or function properly.User estimates the losses, time span to carry out recovery testing. Recovery testing is done by system analysts, testing professionals and management personnel.