Jump to content

Testing Windows password strength


NicholasVA
 Share

Recommended Posts

Hello,

I want to test the strength of passwords. Assuming I have the password-cracking skills/tools of an average hacker, I want to turn the passwords into hashes and then try to crack them. This will give me a realistic picture of how strong they are.

My question is: How do I turn the passwords into hashes? Does it matter what hashing algorithm I use?

Thanks

Nicholas

Link to comment
Share on other sites

What type of hashes do you want to practice cracking? There is a big difference between working with md5s and bcrypt hashes.

And I'd add a -n to Mr P's command above otherwise you are hashing the string with a new line on the end but when cracking you usually assume there isn't one there.

Link to comment
Share on other sites

What type of hashes do you want to practice cracking? There is a big difference between working with md5s and bcrypt hashes.

And I'd add a -n to Mr P's command above otherwise you are hashing the string with a new line on the end but when cracking you usually assume there isn't one there.

Good call. It was a bit late for me to be responding to late night forum posts haha.

Link to comment
Share on other sites

Quick update, with the help of the tools I created MD5 hashes for some "passwords". I then tried to crack them with John.

First problem is that John cannot figure out exactly the format probably because these are not real OS-generated hashes. A workaround is to specify the format as "raw-md5". However I would prefer to make the hashes more "realistic". Is there a way to do this?

Second question: Is there a way to wipe out any info from previous John runs? I keep testing with the same hashes so i want John to "forget" that he has already cracked them.

Thanks! :-)

Link to comment
Share on other sites

1 that's how it works. There is no difference between the hashes you've created and "real" hashes. An md5 hashed password from a bad application will be the same as yours.

2 delete the john.pot file.

If you want to try creating other hashes, try sha1sum, used in the same way as md5sum, and if you are on Linux create a bunch of users on your system, set their passwords then use unshadow to create a password file to crack.

Link to comment
Share on other sites

Learning how to crack passwords is fun and probably good education. But IMO not a good way to decide if your password is strong.

Time it takes to crack your password depends on a number of factors:the resources you have available (processing power) and the settings you choose when using a cracking program.

If you don't succeed in cracking a password, it doesn't mean it's safe from someone who makes other choices in settings or someone who has more resources, eg someone who has multiple computers combined to do this task, or maybe even has a botnet at his disposal.

Best way to make sure you're safe is by learning how to make a safe password (Google). These criteria have been developed by calculations that determine the improbability of it being cracked. But yeah it's more fun trying yourself.

Link to comment
Share on other sites

I'm dealing with this issue in a new duty my job has dumped on me. We run several public service answering points (psaps) which need to be secure for various reasons. We have two DSL lines to work with so I put all wired traffic on one using it for sensitive info (911 calls and dispatch info). The second is for wireless connections and is not as secure but I didn't want to make it easy to guess the password. My answer was designed after trolling this forum and learning as much as possible, we employ a foreign character or two in the password (i prefer Thai)

My question is to you experts, is this really helping?

Link to comment
Share on other sites

I'm not sure i understand what you're saying.

If my password is coffਗeemuੜg

Can you run a dictionary attack against that?

Edited by Guest
Link to comment
Share on other sites

that is assuming the word you gave is a random bunch of characters and not a word in a language I don't recognise. And even if it is a random bunch of characters, if it is a common random bunch of characters then it may be in some lists.

"asdfghjkl" is not a word but that will be in most password crackers lists.

Link to comment
Share on other sites

:D ok I agree

So Thai characters: great but it only makes difference if you use it as an ADDITIONAL character set, not as a substitute for other sets (although an attacker with no clue about what the password looks like it's not likely to choose Thai characters to try).

But that's gonna make hard to remember and use passwords what I wouldn't want to lay upon my users.

Again,lot of stuff has been written already about security vs convenience.

Edited by Guest
Link to comment
Share on other sites

That sounds about right. Looking at security vs usability, if you always add the Thai character to the end of the password and someone knows that pattern then it isn't adding that much security but it is easier to remember. If you generate a random string with Latin and Thai characters then that is likely to be very hard to crack but also very hard to remember.

Assess the security level required by what you are protecting and set something appropriate is the easiest advice. Actually doing that though can be quite hard.

Link to comment
Share on other sites

Each counry will have their standards and guides.

For NZ we have the NZISM its password seciton

http://www.gcsb.govt.nz/news/the-nz-information-security-manual/

For human passwords

16.1.21.C.01

a minimum password length of ten characters, consisting of at least three of the following character sets:
lowercase characters (a-z)
uppercase characters (A-Z)
digits (0-9)
punctuation and special characters.

Really length is the big the thing if don't need to type it each time you login 32 or 64 characters using a mix of everything. And when generating use a password generator.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...