etftw Posted March 13, 2009 Share Posted March 13, 2009 Edit: Just so no one else misunderstands, I am NOT asking for any malicious software that could actually be used to brute force actual systems Hello, I was just wondering if anyone knows of a tool which lets you enter a password which the program will then attempt to brute force against. Just fancied testing out the strength of some of my passwords against a brute force attack. Cheers :) Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 13, 2009 Share Posted March 13, 2009 When you change the master password in firefox, firefox tells you how strong it thinks it is. Quote Link to comment Share on other sites More sharing options...
lopez1364 Posted March 13, 2009 Share Posted March 13, 2009 Episode 3x09 tells of a password strength checker --> http://www.passwordmeter.com/ Quote Link to comment Share on other sites More sharing options...
etftw Posted March 13, 2009 Author Share Posted March 13, 2009 Episode 3x09 tells of a password strength checker --> http://www.passwordmeter.com/ Cheers, that is quite a handy website. I was looking more for an actual tool which will brute force against a string that I enter so I could see how long it would actually take someone to brute force my password. If no such tool exists I suppose I will just have to make it myself though, just thought I would save some time and see if anyone knew of one :) Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 13, 2009 Share Posted March 13, 2009 Cheers, that is quite a handy website. I was looking more for an actual tool which will brute force against a string that I enter so I could see how long it would actually take someone to brute force my password. If no such tool exists I suppose I will just have to make it myself though, just thought I would save some time and see if anyone knew of one :) It is possible to mathematically measure a passwords resilience to brute forcing without wasting time actually brute forcing the password. Quote Link to comment Share on other sites More sharing options...
Destro Posted March 13, 2009 Share Posted March 13, 2009 Here is a good place to start http://rumkin.com/tools/password/passchk.php. Best chance is to google it, make the program yourself, or brute force it yourself. Good luck! cheers, Destro Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted March 13, 2009 Share Posted March 13, 2009 Write one. Autohot key is the easiest to do it in. Find the window, set the user name and then run it against a string of words in a list. In all honesty you should really google before you ask because there are tons out there, but this forum isnt about that kind of "hacking". Quote Link to comment Share on other sites More sharing options...
etftw Posted March 13, 2009 Author Share Posted March 13, 2009 Write one. Autohot key is the easiest to do it in. Find the window, set the user name and then run it against a string of words in a list. In all honesty you should really google before you ask because there are tons out there, but this forum isnt about that kind of "hacking". I am not looking for a malicious program to brute force other peoples applications / websites, I want a program that brute forces against itself just for demonstration purposes of how long it would take to actually brute force a secure / unsecure password. Update I have found a solution which gives an estimate of how long it would take a password to be brute forced ( http://lifehacker.com/5072112/check-your-p...e-force-attacks ) According to that spreadsheet it would take a total of 23,375,644 days to brute force my password if 100,000 machines were employed It is rather comforting to know that fact :D Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted March 13, 2009 Share Posted March 13, 2009 Is that taking in to consideration rainbow table and the newer line of processors or gpus? Quote Link to comment Share on other sites More sharing options...
etftw Posted March 13, 2009 Author Share Posted March 13, 2009 Is that taking in to consideration rainbow table and the newer line of processors or gpus? Well that is why I wanted to test my password in a practical situation as I don't know what the creators of such password checkers consider to be safe or how they figure out such times Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 13, 2009 Share Posted March 13, 2009 or even that order of testing the password will alter time of calculation. As well as the algorithm used. Quote Link to comment Share on other sites More sharing options...
etftw Posted March 13, 2009 Author Share Posted March 13, 2009 or even that order of testing the password will alter time of calculation. As well as the algorithm used. Sorry I didn't understand that post? Did you mean even testing in a practical manor could still have different results depending on the algorithm the developer used? And in case anyone is wondering why I want to try to crack my own password it is because I am going to be carrying around a pen drive with me that has some very important documents, I have used TrueCrypt to encrypt the pen drive using AES and I am using a password that is over 20 characters and contains purely random characters so in theory it is a very practical password, but I just wanted to see for myself how secure it really is. Quote Link to comment Share on other sites More sharing options...
shonen Posted March 14, 2009 Share Posted March 14, 2009 Did you test your password strength against the USB switchblade?? =P My money is on the switch blade! Quote Link to comment Share on other sites More sharing options...
MBP Posted March 15, 2009 Share Posted March 15, 2009 just find out how many possible combinations there are in your pass and then divide it by number of passwords you can crack per second. my old dual core 1.9ghz used to do 20 pass's a second and it took 5 days to brute force a rar with 8 characters Quote Link to comment Share on other sites More sharing options...
etftw Posted March 15, 2009 Author Share Posted March 15, 2009 just find out how many possible combinations there are in your pass and then divide it by number of passwords you can crack per second. my old dual core 1.9ghz used to do 20 pass's a second and it took 5 days to brute force a rar with 8 characters That is a much more efficient idea, not sure why I didn't think of doing that in the first place Quote Link to comment Share on other sites More sharing options...
stingwray Posted March 15, 2009 Share Posted March 15, 2009 Well apart from choosing obviously week passwords, the strength of a password is more dependent on how intelligent the person trying to crack it is. Obviously more powerful systems are useful, but with good heuristics you can dramatically reduce the amount of key space that you have to search. Example being if you know the password is greater than 5 characters long, then you know you don't need to check any passwords which are 5 characters or less in length. This is why that although strong password policies do increase password strength, it is also a little like occam's razor, as any potential attack can now reduce their key space. The most interesting research is on how people actually pick their passwords and the frequency that which certain combinations and word mangling rules are used. Statistical analysis of this provides are large amount of information which you can then use to dramatically increase the chances of breaking a password. At better way of analyzing the strength of a password is to look at the entropy of the password, passwords which are very random will have the highest security (obviously with a sufficiently long length), so a good start will be a statistical analysis of your password, to see if there are any pairs of characters which are very common in the language of your password, eg. 'th', 'st', 'ee' and 'oo' are all relatively common in english and for this reason should be avoided in your password. Even if you consider your password random, like '4IeeP%' a good cracker will prioritize checking possible passwords with common phrases in them first, making your password more likely to be found. Also given the ease of access to large amount of computing power, through private networks or even botnets, checking large numbers of passwords is almost worryingly trivial for some now. Quote Link to comment Share on other sites More sharing options...
shonen Posted March 15, 2009 Share Posted March 15, 2009 Thats a really good write up Ray man, cheers Quote Link to comment Share on other sites More sharing options...
etftw Posted March 15, 2009 Author Share Posted March 15, 2009 Thats a really good write up Ray man, cheers Agreed, that was very interesting :) Quote Link to comment Share on other sites More sharing options...
stingwray Posted March 15, 2009 Share Posted March 15, 2009 This just popped into my inbox this morning via Bruce Schneier's Crypto-Gram news letter, which if your not reading you really need to start now. Gives a short but excellent overview of the resent PHPBB password bust and what analysis of the passwords found. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.