You know, I’m working as an IT administrator and I care about security. That’s why I’m worrying about passwords too. So why not running some tests to see some interesting numbers? Let’s get to work.
Our tool of crime: A linux box running a 400 MHz Xeon CPU, some RAM, a solid Raid and John The Ripper. Regarding the benchmark, we should be able to generate about 970 password hashes per second for cracking. I also got a huge wordlist of common passwords here.
I am creating 20 user accounts here having random passwords that look like a cat ran over my keyboard. Numbers and Letters, 8 Characters. This is the hard part.
Another test will use a password dump donated by a company I know who wanted to know the strength of their passwords used. I’m choosing 20 random users for being able to compare the tests.
Back to the workstation I’ve talked about, I fire up John for cracking the password dump of the company first. The is disillusioning: After the first attempt which is a dictionary attack, about half of the passwords are cracked. The other half was cracked by mutating those common passwords. After two hours the show was over and I got all the 20 passwords in plaintext. Damn.
Slightly shocked I started cracking the pwgen passwords, but the result is a different one – it’s still running:
Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [32/32]) guesses: 0 time: 16:23:00:42 c/s: 970 trying: at6fcc
As you can see, John the ripper is crunching numbers for more than two weeks now without cracking a single password. That’s the bruteforce way. I’ll try to redo the test with rainbow tables later some time, but that’s another topic…
Joe says:
Very interesting. I should do some testing of my own. I only need a good wordlist… Any tips to where these can be found?
Stargazer says:
I’ve used the one found on the jtr ftp site and added some lists I have found including a ton of default passwords from various systems…
iaindb says:
Nice.
And yet so many people still complain when I give them passwords looking like IO5Rugko. I wouldn’t be surprised if our entire user base of 30+ could be cracked in just a few hours too. Except mine of course, it’s 12345 (12345? That’s the kinda thing an idiot would have on his luggage!)
Anyway, here’s a nice bash one-liner to generate password for you when you have to set up new accounts and stuff:
for ((n=0;n/dev/null | uuencode -m – | tail -n 2 | head -n 1 | cut -c -8; done
HTH!
iaindb says:
OK, that one-liner got cut off, so here it is on multiple lines:
for ((n=0;n/dev/null \
| uuencode -m – | tail -n 2 \
| head -n 1 | cut -c -8; done
iaindb says:
*sigh* stripping out the html nasties:
for ((n=0;n<10;n++)); do dd if=/dev/urandom count=1 bs=8 2>/dev/null | uuencode -m – | tail -n 2 | head -n 1 | cut -c -8; done
Stargazer says:
Die Sicherheit an sich ist selten das Problem – es ist immer wieder die Bequemlichkeit, die das Problem verursacht…