As a matter of interest, has anyone on the list tried running John the Ripper on their password file? I just tried mine, and was rather alarmed! I have 3 users, me, my partner, and root. All 3 have passwords which are non-dictionary words, all have a mix of upper and lower case letters, and 2 of the three have numbers in them. John the Ripper has been running for 48 hours or so on my aging PIII-500 box, and has so far broken 2 of them! I suspect the third won't take too much longer, and on a faster box would have succumbed a long time ago. I thought my passwords were actually quite good ones. Clearly not. Hmmm... -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
On Mon, 2 Jun 2003 05:30 pm, Derek Fountain wrote:
As a matter of interest, has anyone on the list tried running John the Ripper on their password file? I just tried mine, and was rather alarmed!
Had to do that a while ago using "crack" against 1200 crypted paswords. Got 10% immediately and almost 1/4 of them in a few days. Probably par for the course. We set crack based password checking (it's instantaneous while you know the unencripted string) loaded all the cracked passwords into the dictionary explicitly and set them to expire... Computing power is scary these days, always go into security and set MD5 encription. -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
On Mon, Jun 02, Michael.James@csiro.au wrote:
On Mon, 2 Jun 2003 05:30 pm, Derek Fountain wrote:
As a matter of interest, has anyone on the list tried running John the Ripper on their password file? I just tried mine, and was rather alarmed!
Had to do that a while ago using "crack" against 1200 crypted paswords. Got 10% immediately and almost 1/4 of them in a few days. Probably par for the course.
We set crack based password checking (it's instantaneous while you know the unencripted string) loaded all the cracked passwords into the dictionary explicitly and set them to expire...
Computing power is scary these days, always go into security and set MD5 encription.
If you have SuSE only systems, use blowfish with a high "crypt_rounds" number. That's better than MD5, because it needs really a lot of cpu power (look at /etc/security/{pam_pwcheck.conf,pam_unix2.conf} Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE Linux AG Deutschherrnstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
On Mon, 2 Jun 2003, Derek Fountain wrote:
As a matter of interest, has anyone on the list tried running John the Ripper on their password file? I just tried mine, and was rather alarmed!
A lot may depend on HOW John tries to crack the passwords. Username=password are detected immediately, even though the passwords may be combination of case/letters/number. Then there are rules for cases and characters etc, which john.ini says, are config dependent. My friend gave me a password [unencrypted] f1aeXced and it was not possible for my P-III 600 to crack it in three months. Uptime nearly 100%. So I guess we are well off mixing cases in alphabets and numbers in between. John's algo seems to have steps like 1. username=password 2. only numbers 3. only letters - lowercase 4. ... .. . etc etc. which is statistically generated based on what people choose to be their passwords, typically. I did the same run for 3500+ passwords for the yppasswd file of 2500 students of IIT Bombay, India. Got 200+ on the same day. Total 350+ by the end of the week. And after that, I was lucky if I got two passwords every subsequent day. Chances are, that if a password is not cracked soon enough, it may take really long to get cracked. But yes, it seems possible, that all of them would be cracked in the END. -- Rohit +9122 5692 2101 G9,Floor-1,Chandivali : SDE : TLSI : 9821394599@bplmobile.com The information below is compulsorily added for non-mahindrabt recepients. ********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com
participants (4)
-
Derek Fountain -
Michael.James@csiro.au -
Rohit -
Thorsten Kukuk