Information
Assurance
Spring
2003
Project 2
Password Security
In our discussion of authentication, we talked about password as the
most common mechanism for authentication. One weakness of passwords is
that they are subject to a dictionary attack. In this small project, we
will experiment with password attacks.
Part 1:
The first part of the project is to run a dictionary attack against a
Unix password file. A sample password file is here. This
file was created by me solely for the purpose of this assignment, and
is not the password file to any real-world site. If it were real, I
wouldn't post it. :)
In attacking this password file, you may use whatever tools you can
find and choose to use. Make sure that the tools you find are for Unix
systems - John the Ripper
is a sturdy tool, available for many systems. There are others out there
too - try different ones. Feel free to examine the cracking rules to
see if there are any you might add to improve the efficiency.
In running the attack, the only rule is this: if you run the password
cracker on a multi-user system, you may not allow it to run for more than
10 minutes. I expect the passwords in this file to be generally
hard to crack, and running the software for longer than 10 minutes will
only inconvenience others. If you run the attack on your own system,
you can run it for as long as you like. I encourage you to let it run
overnight if you can or even for a few days to see the benefits of
letting it run a long time.
Part 2:
Most of the password cracking software will give you an estimate of how
many encryptions it can try each second. Find this estimate. Once you
have it, use it to calculate the following:
a) Assuming that passwords of 1 to 8 characters are chosen from only
lower-case letters, how long would it take to seach the entire password
space?
b) Assuming that passwords of 1 to 8 characters are chosen from
lower-case or upper-case letters, how long would it take to seach the
entire password space?
c) Assuming that passwords of 8 characters are chosen from lower or
upper case letters and numerical digits, how long would it take to
seach the entire password space?
d) Assuming that passwords of 8 characters are chosen from lower or
upper case letters, from a set of 32 punctuation marks, and
numerical digits, how long would it take to seach the entire password
space?
What to turn in:
For part 1, please turn in:
The name of the password cracker you used
Where you ran it
How long it ran
The list of passwords it cracked.
For part two, please turn in:
The number of encryptions per second you found
Estimates for time for parts a-d. Please convert to days, weeks,
months, and years as applicable.
Submission will be by e-mail to the instructor. The deadline is before
class on February 25th, 2003.