Information Assurance

Clay Shields


front | classes | research | personal | contact

Information Assurance

back to projects page

In our discussion of authentication, we talked about password as the most common mechanism for authentication. One weakness of passwords is that they are subject to a dictionary attack. In this project, we will experiment with password attacks.

Vegetables (B-level work):

The first part of the project is to run a dictionary attack against a Unix password file. A sample password file is here. This file was created by me solely for the purpose of this assignment, and is not the password file to any real-world site. If it were real, I wouldn't post it. :)

In attacking this password file, you may use whatever tools you can find and choose to use. Make sure that the tools you find are for Unix systems - John the Ripper is a sturdy tool, available for many systems.

In running the attack, the only rule is this: if you run the password cracker on a multi-user system, you may not allow it to run for more than 10 minutes. I expect the passwords in this file to be generally hard to crack, and running the software for longer than 10 minutes will only inconvenience others. If you run the attack on your own system, you can run it for as long as you like. I encourage you to let it run overnight if you can or even for a few days to see the benefits of letting it run a long time.

Most of the password cracking software will give you an estimate of how many encryptions it can try each second. Find this estimate. Once you have it, use it to calculate the following:

a) Assuming that passwords of 1 to 8 characters are chosen from only lower-case letters, how long would it take to seach the entire password space?

b) Assuming that passwords of 1 to 8 characters are chosen from lower-case or upper-case letters, how long would it take to seach the entire password space?

c) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how long would it take to seach the entire password space?

d) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how long would it take to seach the entire password space?

e) Look at how many passwords you found in the first 10 minutes of your run. Assuming you found passwords at that rate, how long would it take you to crack all the passwords provided?

f) Assume that the passwords you found in the first 10 minutes represent weak passwords. What proportion were weak? Assuming that Georgetown has 10,000 network users, how many of their passwords might be weak?

Cake (A-level work):

Answer each of the questions below:
a) Assuming that passwords of 1 to 8 characters are chosen from only lower-case letters, how much storage space would it take to store all possible pre-computed passwords?

b) Assuming that passwords of 1 to 8 characters are chosen from lower-case or upper-case letters, how much storage space would it take to store all possible pre-computed passwords?

c) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

d) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

e) Now assume a two-character salt is added to the passwords, as described on page 86 of the text. Recompute each of the storage requirements in a-d above.

Icing (Bonus!):

a) Try a variety of different password crackers. Find additional word dictionaries to use for input. Create additional testing rules. How many more passwords were you able to crack?

b) Describe how you would organize the stored passwords above to be able to perform efficient lookups.

c) Provide estimates of how much the storage space for each the answers in the Cake section would cost.

What to turn in:

For the Vegetables, please turn in:

The name of the password cracker you used
Where you ran it
How long it ran
The list of passwords it cracked.

The number of encryptions per second you found

Estimates for time for parts a-d. Please convert to days, weeks, months, and years as applicable. SHOW YOUR WORK! Don't just write down numbers.

For the Cake section, please turn in:

The appropriate estimates for space for parts a-d. Please convert to megabytes, gigabytes, and terabytes as needed. Again, SHOW YOUR WORK! Don't just write down numbers.

For the Icing section, please turn in:

For part a, a description of what else you did to crack additional passwords, and how effective each thing was.
For part b and c, answers as appropriate, supported by real data for prices as needed.

Submission will be by e-mail to the instructor. The deadline is before class on February 12th, 2004.