[Klug-general] password testing/cracking
Karl Buckland
buckland.karl at gmail.com
Mon Mar 25 13:48:44 UTC 2013
MD5 passwords are only particularly easy to crack because the hashing
algorithm is extremely fast and usually they aren't salted. This means you
can generate a rainbow table of hashes and then simply match up.
Are you trying to ascertain what makes a secure password, or are you trying
to ascertain what makes a secure login system?
As a web developer I recommend using a complicated and slow password
encryption scheme, such as bcrypt. On top of that, each password should
have its own salt. And on top of that, any login system should disable a
users account after a set number of failed logins.
As for user passwords, I would recommend at least 8 characters and the
standard set of uppercase, lowercase, numeric and special characters.
Ideally, you should use a password manager instead and use long,
complicated (effectively impossible to remember) passwords.
Karl
On 25 March 2013 13:01, james morris <jwm.art.net at gmail.com> wrote:
> (sorry for previous attempt, forgot list doesn't allow attachments)
>
> read an article about password cracking this morning:
>
> http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/3/
>
> and being curious decided to try my own passwords. it only seemed to
> crack the first word of two (nor the two digit number at end) in my
> weakest password.
>
> then i was curious about long passwords made entirely of words such as:
>
> longpassworddifficulttocrack
>
> my tests don't crack that, nor even crackmenow or hardtocrack.
>
> i'm using the rockyou.txt word list, and only encoding the passwords
> as MD5 so expected better results than this.
>
> here's a bash script to automate password testing to some degree:
> https://github.com/jwm-art-net/password_tester
>
> it starts with a file of unencoded passwords one per line, runs md5sum
> on them, the tries to crack the md5s.
>
> any tips for making the cracking effort more robust appreciated!
> cheers,
> james
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/kent/attachments/20130325/fa2c6fde/attachment.html>
More information about the Kent
mailing list