NicholasVA Posted October 31, 2015 Share Posted October 31, 2015 Hello, I want to test the strength of passwords. Assuming I have the password-cracking skills/tools of an average hacker, I want to turn the passwords into hashes and then try to crack them. This will give me a realistic picture of how strong they are. My question is: How do I turn the passwords into hashes? Does it matter what hashing algorithm I use? Thanks Nicholas Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 31, 2015 Share Posted October 31, 2015 Well, if you just want a string of text to a hash you can do something like the following on linux: echo "Words for password here" | md5sum That will get you an MD5 sum. or Google some online text / string to hash generators. Quote Link to comment Share on other sites More sharing options...
digininja Posted October 31, 2015 Share Posted October 31, 2015 What type of hashes do you want to practice cracking? There is a big difference between working with md5s and bcrypt hashes. And I'd add a -n to Mr P's command above otherwise you are hashing the string with a new line on the end but when cracking you usually assume there isn't one there. Quote Link to comment Share on other sites More sharing options...
NicholasVA Posted October 31, 2015 Author Share Posted October 31, 2015 Thanks for the answers. I downloaded md5sum and also did some more googling and got a couple more utils. This should do it! :-) Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 31, 2015 Share Posted October 31, 2015 What type of hashes do you want to practice cracking? There is a big difference between working with md5s and bcrypt hashes. And I'd add a -n to Mr P's command above otherwise you are hashing the string with a new line on the end but when cracking you usually assume there isn't one there. Good call. It was a bit late for me to be responding to late night forum posts haha. Quote Link to comment Share on other sites More sharing options...
digininja Posted October 31, 2015 Share Posted October 31, 2015 I've made the mistake in the past and hope never to repeat it. Quote Link to comment Share on other sites More sharing options...
NicholasVA Posted November 1, 2015 Author Share Posted November 1, 2015 Quick update, with the help of the tools I created MD5 hashes for some "passwords". I then tried to crack them with John. First problem is that John cannot figure out exactly the format probably because these are not real OS-generated hashes. A workaround is to specify the format as "raw-md5". However I would prefer to make the hashes more "realistic". Is there a way to do this? Second question: Is there a way to wipe out any info from previous John runs? I keep testing with the same hashes so i want John to "forget" that he has already cracked them. Thanks! :-) Quote Link to comment Share on other sites More sharing options...
digininja Posted November 1, 2015 Share Posted November 1, 2015 1 that's how it works. There is no difference between the hashes you've created and "real" hashes. An md5 hashed password from a bad application will be the same as yours. 2 delete the john.pot file. If you want to try creating other hashes, try sha1sum, used in the same way as md5sum, and if you are on Linux create a bunch of users on your system, set their passwords then use unshadow to create a password file to crack. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 2, 2015 Share Posted November 2, 2015 Learning how to crack passwords is fun and probably good education. But IMO not a good way to decide if your password is strong. Time it takes to crack your password depends on a number of factors:the resources you have available (processing power) and the settings you choose when using a cracking program. If you don't succeed in cracking a password, it doesn't mean it's safe from someone who makes other choices in settings or someone who has more resources, eg someone who has multiple computers combined to do this task, or maybe even has a botnet at his disposal. Best way to make sure you're safe is by learning how to make a safe password (Google). These criteria have been developed by calculations that determine the improbability of it being cracked. But yeah it's more fun trying yourself. Quote Link to comment Share on other sites More sharing options...
dracunculoides Posted November 2, 2015 Share Posted November 2, 2015 I'm dealing with this issue in a new duty my job has dumped on me. We run several public service answering points (psaps) which need to be secure for various reasons. We have two DSL lines to work with so I put all wired traffic on one using it for sensitive info (911 calls and dispatch info). The second is for wireless connections and is not as secure but I didn't want to make it easy to guess the password. My answer was designed after trolling this forum and learning as much as possible, we employ a foreign character or two in the password (i prefer Thai) My question is to you experts, is this really helping? Quote Link to comment Share on other sites More sharing options...
digininja Posted November 2, 2015 Share Posted November 2, 2015 Having non-ascii characters in a password would help against most dictionary attacks however if you are in Thialand and someone creates a custom dictionary then you could still be at risk. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 2, 2015 Share Posted November 2, 2015 The more different char sets you use the longer it takes to crack (exponentially). Mixing it with Thai seems a great idea but I'm not an expert. Quote Link to comment Share on other sites More sharing options...
digininja Posted November 2, 2015 Share Posted November 2, 2015 That assumes a basic incremental brute force. If you are running word lists then it doesn't increase the time at all. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 2, 2015 Share Posted November 2, 2015 (edited) I'm not sure i understand what you're saying. If my password is coffਗeemuੜg Can you run a dictionary attack against that? Edited November 2, 2015 by Guest Quote Link to comment Share on other sites More sharing options...
digininja Posted November 2, 2015 Share Posted November 2, 2015 Yes, of course you can, it wouldn't be found but you can still run the list. Quote Link to comment Share on other sites More sharing options...
digininja Posted November 2, 2015 Share Posted November 2, 2015 that is assuming the word you gave is a random bunch of characters and not a word in a language I don't recognise. And even if it is a random bunch of characters, if it is a common random bunch of characters then it may be in some lists. "asdfghjkl" is not a word but that will be in most password crackers lists. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 2, 2015 Share Posted November 2, 2015 (edited) :D ok I agree So Thai characters: great but it only makes difference if you use it as an ADDITIONAL character set, not as a substitute for other sets (although an attacker with no clue about what the password looks like it's not likely to choose Thai characters to try). But that's gonna make hard to remember and use passwords what I wouldn't want to lay upon my users. Again,lot of stuff has been written already about security vs convenience. Edited November 2, 2015 by Guest Quote Link to comment Share on other sites More sharing options...
digininja Posted November 2, 2015 Share Posted November 2, 2015 That sounds about right. Looking at security vs usability, if you always add the Thai character to the end of the password and someone knows that pattern then it isn't adding that much security but it is easier to remember. If you generate a random string with Latin and Thai characters then that is likely to be very hard to crack but also very hard to remember. Assess the security level required by what you are protecting and set something appropriate is the easiest advice. Actually doing that though can be quite hard. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 2, 2015 Share Posted November 2, 2015 And my password is not coffਗeemuੜg Quote Link to comment Share on other sites More sharing options...
dracunculoides Posted November 2, 2015 Share Posted November 2, 2015 Thanks for the input and laughs. An added benefit to reading this board. I'm still learning and my goal is to never stop, leading me to believe this is a great career to be innovative and clever. Oddly enough I'm a cartographer and since my bosses know I can spell "bash" this makes me the I.t. guy as well Quote Link to comment Share on other sites More sharing options...
digininja Posted November 2, 2015 Share Posted November 2, 2015 Hacking and maps, could be some interesting cross over. Quote Link to comment Share on other sites More sharing options...
Karit Posted November 4, 2015 Share Posted November 4, 2015 Each counry will have their standards and guides. For NZ we have the NZISM its password seciton http://www.gcsb.govt.nz/news/the-nz-information-security-manual/ For human passwords 16.1.21.C.01 a minimum password length of ten characters, consisting of at least three of the following character sets:lowercase characters (a-z)uppercase characters (A-Z)digits (0-9)punctuation and special characters. Really length is the big the thing if don't need to type it each time you login 32 or 64 characters using a mix of everything. And when generating use a password generator. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.