# Information Assurance

## Clay Shields

### Information Assurance

In our discussion of authentication, we talked about password as the most common mechanism for authentication. One weakness of passwords is that they are subject to a dictionary attack. In this project, we will experiment with password attacks.

The first part of the project is to run a dictionary attack against a Unix password file. A sample password file is here. This file was created by me solely for the purpose of this assignment, and is not the password file to any real-world site. If it were real, I wouldn't post it. :) That being said, the passwords come from a real site, and are actual user passwords. All other information is made up.

In attacking this password file, you may use whatever tools you can find and choose to use. Make sure that the tools you find are for Unix systems - John the Ripper is a sturdy tool, available for many systems.

In running the attack, the only rule is this: if you run the password cracker on a multi-user system, you may not allow it to run for more than 10 minutes. I expect the passwords in this file to be generally hard to crack, and running the software for longer than 10 minutes will only inconvenience others. If you run the attack on your own system, you can run it for as long as you like. I encourage you to let it run overnight if you can or even for a few days to see the benefits of letting it run a long time.

Most of the password cracking software will give you an estimate of how many encryptions it can try each second. Find this estimate. Once you have it, use it to calculate the following. Make sure to show your work. Don't just write down numbers.

a) Assuming that passwords of 1 to 8 characters are chosen from only lower-case letters, how long would it take to seach the entire password space?

b) Assuming that passwords of 1 to 8 characters are chosen from lower-case or upper-case letters, how long would it take to seach the entire password space?

c) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how long would it take to seach the entire password space?

d) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how long would it take to seach the entire password space?

e) Look at how many passwords you found in the first 10 minutes of your run. Assuming you found passwords at that rate, how long would it take you to crack all the passwords provided?

f) Assume that the passwords you found in the first 10 minutes represent weak passwords. What proportion were weak? Assuming that Georgetown has 10,000 network users, how many of their passwords might be weak?

g) Assuming that passwords of 1 to 8 characters are chosen from only lower-case letters, how much storage space would it take to store all possible pre-computed passwords?

h) Assuming that passwords of 1 to 8 characters are chosen from lower-case or upper-case letters, how much storage space would it take to store all possible pre-computed passwords?

i) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

j) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

k) Now assume a two-character salt is added to the passwords, as described on page 86 of the text. Recompute each of the storage requirements in g-j above.

l) Go further. Try a variety of different password crackers. Find additional word dictionaries to use for input. Create additional testing rules. Describe the word sets and/or rules you used. How many more passwords were you able to crack?

m) Describe how you would organize the stored passwords in questions g to j above to be able to perform efficient lookups.

What to turn in:

The name of the password cracker you used
Where you ran it
How long it ran
The list of passwords it cracked.

The number of encryptions per second you found

For questions a-f , how long it would take to search the password space. Please convert to days, weeks, months, and years as applicable. SHOW YOUR WORK! Don't just write down numbers.

The appropriate estimates for space for parts g-j. Please convert to megabytes, gigabytes, and terabytes as needed. Again, SHOW YOUR WORK! Don't just write down numbers.

For part question l, a description of what else you did to crack additional passwords, and how effective each thing was.
For question m, describe the data structure and its storage overhead (that is, how much data if any is used for indexing rather than password storage).

Submission will be by e-mail to the instructor. The deadline is before class on February 22nd, 2007.