You know, I’m working as an IT administrator and I care about security. That’s why I’m worrying about passwords too. So why not running some tests to see some interesting numbers? Let’s get to work.
Our tool of crime: A linux box running a 400 MHz Xeon CPU, some RAM, a solid Raid and John The Ripper. Regarding the benchmark, we should be able to generate about 970 password hashes per second for cracking. I also got a huge wordlist of common passwords here.
I am creating 20 user accounts here having random passwords that look like a cat ran over my keyboard. Numbers and Letters, 8 Characters. This is the hard part.
Another test will use a password dump donated by a company I know who wanted to know the strength of their passwords used. I’m choosing 20 random users for being able to compare the tests.
Back to the workstation I’ve talked about, I fire up John for cracking the password dump of the company first. The is disillusioning: After the first attempt which is a dictionary attack, about half of the passwords are cracked. The other half was cracked by mutating those common passwords. After two hours the show was over and I got all the 20 passwords in plaintext. Damn.
Slightly shocked I started cracking the pwgen passwords, but the result is a different one – it’s still running:
Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [32/32]) guesses: 0 time: 16:23:00:42 c/s: 970 trying: at6fcc
As you can see, John the ripper is crunching numbers for more than two weeks now without cracking a single password. That’s the bruteforce way. I’ll try to redo the test with rainbow tables later some time, but that’s another topic…