[Klug-general] password testing/cracking
james morris
jwm.art.net at gmail.com
Mon Mar 25 23:00:17 UTC 2013
On 25 March 2013 13:48, Karl Buckland <buckland.karl at gmail.com> wrote:
> MD5 passwords are only particularly easy to crack because the hashing
> algorithm is extremely fast and usually they aren't salted. This means you
> can generate a rainbow table of hashes and then simply match up.
>
> Are you trying to ascertain what makes a secure password, or are you trying
> to ascertain what makes a secure login system?
More trying to _show_ insecure passwords, and secure passwords. My
reasoning for using MD5 was that if hashcat fails to crack a password
hashed using MD5, it's going to be secure. For instance, passwords
stored in /etc/shadow are hashed using SHA512 (as well as salted).
> As a web developer I recommend using a complicated and slow password
> encryption scheme, such as bcrypt. On top of that, each password should have
> its own salt. And on top of that, any login system should disable a users
> account after a set number of failed logins.
>
> As for user passwords, I would recommend at least 8 characters and the
> standard set of uppercase, lowercase, numeric and special characters.
> Ideally, you should use a password manager instead and use long, complicated
> (effectively impossible to remember) passwords.
But I think for many non-technical people, difficult to remember
passwords are a real problem. I wanted to experiment with much longer,
but easy to remember passwords, looking at how difficult they were to
crack. For instance, lines from poems or novels etc. I know using
words straight out the dictionary is frowned upon to say the least,
but this is where the length comes in. The very name of the term
"password" suggests brevity.
I wanted to compare the security of long easy to remember passwords
(minimum 15 characters) with shorter difficult to remember passwords.
The article I linked to says the time taken to crack a hashed password
increases exponentially with each character so the theory is that easy
to remember passwords can be secure if they are long enough.
>
> Karl
>
>
> On 25 March 2013 13:01, james morris <jwm.art.net at gmail.com> wrote:
>>
>> (sorry for previous attempt, forgot list doesn't allow attachments)
>>
>> read an article about password cracking this morning:
>>
>> http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/3/
>>
>> and being curious decided to try my own passwords. it only seemed to
>> crack the first word of two (nor the two digit number at end) in my
>> weakest password.
>>
>> then i was curious about long passwords made entirely of words such as:
>>
>> longpassworddifficulttocrack
>>
>> my tests don't crack that, nor even crackmenow or hardtocrack.
>>
>> i'm using the rockyou.txt word list, and only encoding the passwords
>> as MD5 so expected better results than this.
>>
>> here's a bash script to automate password testing to some degree:
>> https://github.com/jwm-art-net/password_tester
>>
>> it starts with a file of unencoded passwords one per line, runs md5sum
>> on them, the tries to crack the md5s.
>>
>> any tips for making the cracking effort more robust appreciated!
>> cheers,
>> james
>>
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>
>
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
More information about the Kent
mailing list