Surprisingly short passwords that John The Ripper doesn't find quickly
John the Ripper is a "password cracking software". It should not be mistaken for a safety tool, or software to evaluate password strength. While it definitely will find some weak passwords quickly it might fail to guess some (at least when using the default configuration as shown below). Incidentally, this is not john's fault. The strength of passwords depends on a lot of circumstances. We can't consider them all.
Occasionally, I use john to look for weak passwords. Fortunately, my users are well trained ;-) but passwords could get accidentally reset to the empty string or the login name or similar. To my mind, john is especially useful here as it can find these quickly.
After the last check, I was surprised that john didn't find a password that I happened to know: 7 characters long, no numbers, no special characters, 2 caps. I thought it was rather weak by modern standards.
Here is the log of a "debugging" session that IMHO illustrates the problem quite well. I am running john 1.7.8 from Debian Wheezy on a 64-bit Debian Squeeze on an old Intel Core i7.
First I am creating an example file passwords with login credentials:
$ echo "user0:$(openssl passwd -1 "user0"):1:1:New Example:" >passwords $ echo "user1:$(openssl passwd -1 "newexample"):1:1:New Example:" >>passwords $ echo "user2:$(openssl passwd -1 "newexamplE"):1:1:New Example:" >>passwords $ echo "user3:$(openssl passwd -1 "new example"):1:1:New Example:" >>passwords $ echo "user4:$(openssl passwd -1 "newexAMple"):1:1:New Example:" >>passwords $ echo "user5:$(openssl passwd -1 "newexAmple"):1:1:New Example:" >>passwords $ echo "user6:$(openssl passwd -1 ""):1:1:New Example:" >>passwords $ echo "user7:$(openssl passwd -1 " "):1:1:New Example:" >>passwords $ echo "user8:$(openssl passwd -1 "asdf"):1:1:New Example:" >>passwords $ echo "user9:$(openssl passwd -1 "kdnwir"):1:1:New Example:" >>passwords
john's "single crack" mode uses what we have in the passwords file itself:
$ /usr/sbin/john --single passwords Created directory: /home/schamane/.john Loaded 10 password hashes with 10 different salts (FreeBSD MD5 [32/64 X2]) user0 (user0) newexample (user1) newexamplE (user2) new example (user3) newexAmple (user5) guesses: 5 time: 0:00:00:04 100% c/s: 15087 trying: examplenew1900 - enew1900 Use the "--show" option to display all of the cracked passwords reliably
So, the apparent ones are found. user4 with a password with 2 consecutive caps is not found. Neither are the empty password, the single space, nor the trivially short ones. That's quite a bummer. At least for me, because I thought that "single mode" at least also tries the empty password.
Now, let's try again with a very good dictionary ;-)
$ rm -r ~/.john $ echo new >dict ; echo example >>dict $ /usr/sbin/john --wordlist=dict --rules passwords Created directory: /home/schamane/.john Loaded 10 password hashes with 10 different salts (FreeBSD MD5 [32/64 X2]) guesses: 0 time: 0:00:00:00 100% c/s: 1980 trying: Exampling
Nothing! So, let's make it easier!
$ rm -r ~/.john $ echo "new example" >dict $ /usr/sbin/john --wordlist=dict --rules passwords Created directory: /home/schamane/.john Loaded 10 password hashes with 10 different salts (FreeBSD MD5 [32/64 X2]) new example (user3) newexample (user1) guesses: 2 time: 0:00:00:00 100% c/s: 126 trying: newexample Use the "--show" option to display all of the cracked passwords reliably
Better, but still almost nothing, especially if we consider the fact that dictionaries generally do not feature word pairs.
The reason is a lack of rules. Many interesting rules in the Debian
configuration file are set only for "single mode", not for "wordlist mode".
They are not applied with --wordlist=... --rules. BTW, one can get a list of
processed words with
$ /usr/sbin/john --wordlist=dict --rules --stdout | /usr/sbin/unique mangled.lst
Have a look at mangled.lst and check what your rules produce.
Running john with defaults, i.e. all 3 modes: single, wordlist, incremental (brute-force).
$ rm -r ~/.john $ timeout 600 /usr/sbin/john passwords Created directory: /home/schamane/.john Loaded 10 password hashes with 10 different salts (FreeBSD MD5 [32/64 X2]) user0 (user0) newexample (user1) newexamplE (user2) new example (user3) newexAmple (user5) (user6) asdf (user8) (user7) guesses: 8 time: 0:00:10:00 (3) c/s: 15932 trying: 48802209 - 48802263 Use the "--show" option to display all of the cracked passwords reliably Session aborted
These 8 guesses are found within very short time, however most of them are just found because our test users used their name as passwords). And, 10 minutes are not enough to find a 6 letter all lower char random password.
That's understandable. However, I find it puzzling that simple word pairs like "catmouse" are not found. Neither are relatively simple passwords with a few caps.
So, I added some more example passwords:
$ echo "userA:$(openssl passwd -1 "catmouse"):1:1:New Example:" >>passwords $ echo "userB:$(openssl passwd -1 "ExAmplE"):1:1:New Example:" >>passwords $ echo "userC:$(openssl passwd -1 "exAMple"):1:1:New Example:" >>passwords $ echo "userD:$(openssl passwd -1 "examplE"):1:1:New Example:" >>passwords $ rm -r ~/.john $ /usr/sbin/john passwords Created directory: /home/schamane/.john Loaded 14 password hashes with 14 different salts (FreeBSD MD5 [32/64 X2]) (...) examplE (userD) new example (user3) newexAmple (user5) (user6) asdf (user8) guesses: 8 time: 0:00:00:54 85% (2) c/s: 15872 trying: 6stephi - 6stevens (user7) guesses: 9 time: 0:00:01:16 (3) c/s: 15840 trying: shadone - shadon1 guesses: 9 time: 0:00:11:42 (3) c/s: 15974 trying: mutly61 - mutly63 ...
We see that after about 1 minute john was in incremental mode. Neither the simple word pair ("catmouse") nor the dictionary words with funny caps have been found so far. The rest would be a matter of time, CPU power and burned fossils. But we are not going to waste them, are we?
disclaimer & imprint :: copyright :: go to top ::