Testing Windows password strength

[NicholasVA]

Hello,

I want to test the strength of passwords. Assuming I have the password-cracking skills/tools of an average hacker, I want to turn the passwords into hashes and then try to crack them. This will give me a realistic picture of how strong they are.

My question is: How do I turn the passwords into hashes? Does it matter what hashing algorithm I use?

Thanks

Nicholas

[Mr-Protocol]

Well, if you just want a string of text to a hash you can do something like the following on linux:

echo "Words for password here" | md5sum

That will get you an MD5 sum.

or Google some online text / string to hash generators.

[digininja]

What type of hashes do you want to practice cracking? There is a big difference between working with md5s and bcrypt hashes.

And I'd add a -n to Mr P's command above otherwise you are hashing the string with a new line on the end but when cracking you usually assume there isn't one there.

[NicholasVA]

Thanks for the answers. I downloaded md5sum and also did some more googling and got a couple more utils. This should do it! :-)

[Mr-Protocol]

What type of hashes do you want to practice cracking? There is a big difference between working with md5s and bcrypt hashes.

And I'd add a -n to Mr P's command above otherwise you are hashing the string with a new line on the end but when cracking you usually assume there isn't one there.

Good call. It was a bit late for me to be responding to late night forum posts haha.

[digininja]

I've made the mistake in the past and hope never to repeat it.

[NicholasVA]

Quick update, with the help of the tools I created MD5 hashes for some "passwords". I then tried to crack them with John.

First problem is that John cannot figure out exactly the format probably because these are not real OS-generated hashes. A workaround is to specify the format as "raw-md5". However I would prefer to make the hashes more "realistic". Is there a way to do this?

Second question: Is there a way to wipe out any info from previous John runs? I keep testing with the same hashes so i want John to "forget" that he has already cracked them.

Thanks! :-)

[digininja]

1 that's how it works. There is no difference between the hashes you've created and "real" hashes. An md5 hashed password from a bad application will be the same as yours.

2 delete the john.pot file.

If you want to try creating other hashes, try sha1sum, used in the same way as md5sum, and if you are on Linux create a bunch of users on your system, set their passwords then use unshadow to create a password file to crack.

[Guest]

Learning how to crack passwords is fun and probably good education. But IMO not a good way to decide if your password is strong.

Time it takes to crack your password depends on a number of factors:the resources you have available (processing power) and the settings you choose when using a cracking program.

If you don't succeed in cracking a password, it doesn't mean it's safe from someone who makes other choices in settings or someone who has more resources, eg someone who has multiple computers combined to do this task, or maybe even has a botnet at his disposal.

Best way to make sure you're safe is by learning how to make a safe password (Google). These criteria have been developed by calculations that determine the improbability of it being cracked. But yeah it's more fun trying yourself.

[dracunculoides]

I'm dealing with this issue in a new duty my job has dumped on me. We run several public service answering points (psaps) which need to be secure for various reasons. We have two DSL lines to work with so I put all wired traffic on one using it for sensitive info (911 calls and dispatch info). The second is for wireless connections and is not as secure but I didn't want to make it easy to guess the password. My answer was designed after trolling this forum and learning as much as possible, we employ a foreign character or two in the password (i prefer Thai)

My question is to you experts, is this really helping?

[digininja]

Having non-ascii characters in a password would help against most dictionary attacks however if you are in Thialand and someone creates a custom dictionary then you could still be at risk.

[Guest]

The more different char sets you use the longer it takes to crack (exponentially). Mixing it with Thai seems a great idea but I'm not an expert.

[digininja]

That assumes a basic incremental brute force. If you are running word lists then it doesn't increase the time at all.

[Guest]

I'm not sure i understand what you're saying.

If my password is coffਗeemuੜg

Can you run a dictionary attack against that?

Edited November 2, 2015 by Guest

[digininja]

Yes, of course you can, it wouldn't be found but you can still run the list.

[digininja]

that is assuming the word you gave is a random bunch of characters and not a word in a language I don't recognise. And even if it is a random bunch of characters, if it is a common random bunch of characters then it may be in some lists.

"asdfghjkl" is not a word but that will be in most password crackers lists.

[Guest]

:D ok I agree

So Thai characters: great but it only makes difference if you use it as an ADDITIONAL character set, not as a substitute for other sets (although an attacker with no clue about what the password looks like it's not likely to choose Thai characters to try).

But that's gonna make hard to remember and use passwords what I wouldn't want to lay upon my users.

Again,lot of stuff has been written already about security vs convenience.

Edited November 2, 2015 by Guest

[digininja]

That sounds about right. Looking at security vs usability, if you always add the Thai character to the end of the password and someone knows that pattern then it isn't adding that much security but it is easier to remember. If you generate a random string with Latin and Thai characters then that is likely to be very hard to crack but also very hard to remember.

Assess the security level required by what you are protecting and set something appropriate is the easiest advice. Actually doing that though can be quite hard.

[Guest]

And my password is not coffਗeemuੜg

[dracunculoides]

Thanks for the input and laughs. An added benefit to reading this board. I'm still learning and my goal is to never stop, leading me to believe this is a great career to be innovative and clever. Oddly enough I'm a cartographer and since my bosses know I can spell "bash" this makes me the I.t. guy as well

[digininja]

Hacking and maps, could be some interesting cross over.

[Karit]

Each counry will have their standards and guides.

For NZ we have the NZISM its password seciton

http://www.gcsb.govt.nz/news/the-nz-information-security-manual/

For human passwords

16.1.21.C.01

a minimum password length of ten characters, consisting of at least three of the following character sets:
lowercase characters (a-z)
uppercase characters (A-Z)
digits (0-9)
punctuation and special characters.

Really length is the big the thing if don't need to type it each time you login 32 or 64 characters using a mix of everything. And when generating use a password generator.