Cracking passwords – a test

You know, I’m working as an IT administrator and I care about security. That’s why I’m worrying about passwords too. So why not running some tests to see some interesting numbers? Let’s get to work.

Our tool of crime: A linux box running a 400 MHz Xeon CPU, some RAM, a solid Raid and John The Ripper. Regarding the benchmark, we should be able to generate about 970 password hashes per second for cracking. I also got a huge wordlist of common passwords here.

I am creating 20 user accounts here having random passwords that look like a cat ran over my keyboard. Numbers and Letters, 8 Characters. This is the hard part.

Another test will use a password dump donated by a company I know who wanted to know the strength of their passwords used. I’m choosing 20 random users for being able to compare the tests.

Back to the workstation I’ve talked about, I fire up John for cracking the password dump of the company first. The is disillusioning: After the first attempt which is a dictionary attack, about half of the passwords are cracked. The other half was cracked by mutating those common passwords. After two hours the show was over and I got all the 20 passwords in plaintext. Damn.

Slightly shocked I started cracking the pwgen passwords, but the result is a different one – it’s still running:

Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [32/32])
guesses: 0  time: 16:23:00:42  c/s: 970  trying: at6fcc

As you can see, John the ripper is crunching numbers for more than two weeks now without cracking a single password. That’s the bruteforce way. I’ll try to redo the test with rainbow tables later some time, but that’s another topic…


6 thoughts on “Cracking passwords – a test”

  • Very interesting. I should do some testing of my own. I only need a good wordlist… Any tips to where these can be found?

  • I’ve used the one found on the jtr ftp site and added some lists I have found including a ton of default passwords from various systems…

  • Nice.

    And yet so many people still complain when I give them passwords looking like IO5Rugko. I wouldn’t be surprised if our entire user base of 30+ could be cracked in just a few hours too. Except mine of course, it’s 12345 (12345? That’s the kinda thing an idiot would have on his luggage!)

    Anyway, here’s a nice bash one-liner to generate password for you when you have to set up new accounts and stuff:

    for ((n=0;n/dev/null | uuencode -m – | tail -n 2 | head -n 1 | cut -c -8; done


  • OK, that one-liner got cut off, so here it is on multiple lines:

    for ((n=0;n/dev/null \
    | uuencode -m – | tail -n 2 \
    | head -n 1 | cut -c -8; done

  • *sigh* stripping out the html nasties:

    for ((n=0;n<10;n++)); do dd if=/dev/urandom count=1 bs=8 2>/dev/null | uuencode -m – | tail -n 2 | head -n 1 | cut -c -8; done

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.