Information Assurance

Clay Shields


front | classes | research | personal | contact

Information Assurance

back to projects page

In our discussion of authentication, we talked about password as the most common mechanism for authentication. One weakness of passwords is that they are subject to a dictionary attack. In this project, we will experiment with password attacks.

The first part of the project is to run a dictionary attack against a Unix password file. A sample password file is here. This file was created by me solely for the purpose of this assignment, and is not the password file to any real-world site. If it were real, I wouldn't post it. :) That being said, the passwords come from a real site, and are actual user passwords. All other information is made up.

In attacking this password file, you may use whatever tools you can find and choose to use. Make sure that the tools you find are for Unix system passwords - John the Ripper is a sturdy tool, available for many systems.

In running the attack, the only rule is this: if you run the password cracker on a multi-user system, you may not allow it to run for more than 10 minutes. This rule applies to running crackers on ia-class. I expect the passwords in this file to be generally hard to crack, and running the software for longer than 10 minutes will only inconvenience others. If you run the attack on your own system, you can run it for as long as you like. I encourage you to let it run overnight if you can or even for a few days to see the benefits of letting it run a long time.

Most of the password cracking software will give you an estimate of how many encryptions it can try each second (on John the Ripper, hitting the space bar does this). Find this estimate.Once you have it, use it to calculate the following. Make sure to show your work. Don't just write down numbers.

Password Cracking

a) Assuming that passwords of 1 to 8 characters are chosen from only lower-case letters, how long would it take to seach the entire password space?

b) Assuming that passwords of 1 to 8 characters are chosen from lower-case or upper-case letters, how long would it take to seach the entire password space?

c) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how long would it take to seach the entire password space?

d) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how long would it take to seach the entire password space?

e) Look at how many passwords you found in the first 10 minutes of your run. Assuming you found passwords at that rate, how long would it take you to crack all the passwords provided?

f) Assume that the passwords you found in the first 10 minutes represent weak passwords. What proportion were weak? Assuming that Georgetown has 10,000 network users, how many of their passwords might be weak?

Pre-computing Passwords

g) Assuming that passwords of 1 to 8 characters are chosen from only lower-case letters, how much storage space would it take to store all possible pre-computed passwords? Notice that the password format in the file has a defined size, and that encrypted passwords are all this size plus two characters for the salt. See page 86 of the text for information on the Unix password format. Don't forget any end-of-string markers if you need them!

h) Assuming that passwords of 1 to 8 characters are chosen from lower-case or upper-case letters, how much storage space would it take to store all possible pre-computed passwords?

i) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

j) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

k) Now assume a two-character salt is added to the passwords, as described on page 86 of the text. Recompute each of the storage requirements in g-j above.

l) Describe how you would organize the stored passwords in questions g to j above to be able to perform efficient lookups. Specifically, given the sizes you computed, how do you store and search these pre-computed passwords?

Password to Key Mappings

m) Assuming that passwords of 1 to 8 characters are chosen from only lower-case letters, what proportion of a 128 bit key space would be covered? (To find this, you will need to determine how many possible password there are, and compare this to the number of possible values in 2128).

n) Assuming that passwords of 1 to 8 characters are chosen from lower-case or upper-case letters, what proportion of a 128 bit key space is covered?

o) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, what proportion of a 128 bit key space is covered

p) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, what proportion of a 128 bit key space is covered?

q) Bonus opportunity: Try a variety of different password crackers. Find additional word dictionaries to use for input. Create additional testing rules. Describe the word sets and/or rules you used. How many more passwords were you able to crack?


What to turn in:

Please turn in:

The name of the password cracker you used
Where you ran it
How long it ran
The list of passwords it cracked.

The number of encryptions per second you found

For questions a-f , how long it would take to search the password space. Please convert to days, weeks, months, and years as applicable. SHOW YOUR WORK! Don't just write down numbers.

The appropriate estimates for space for parts g-j. Please convert to megabytes, gigabytes, and terabytes as needed. Again, SHOW YOUR WORK! Don't just write down numbers.

For question l, describe the data structure and its storage overhead (that is, how much data if any is used for indexing rather than password storage).
The proportion of the keyspace covered for questions m-p. Show your work, of course.
For part question q, a description of what else you did to crack additional passwords, and how effective each thing was.

Submission will be by e-mail to the instructor. The deadline is before class on October 6th, 2009.