Checking password complexity with John the Ripper

Lock Down

Article from ADMIN 06/2011
By
"Easy to remember but difficult to guess" isn't just a catchy phrase for choosing passwords, it's the law of the Net. Learn how to check your password using a tool network intruders use every day: John the Ripper.

Password policies designed by well-meaning system administrators dictate the required number of characters and the complexity of passwords, but is that enough to protect user accounts from hackers? Users are told to create passwords that are "easy to remember but hard to guess." They're instructed to choose passwords that contain upper- and lowercase letters and include numbers and alternative characters. And, users are discouraged from using the same password for every account. The question is, "Is all that complexity enough to protect you from hackers?" The answer, to further complicate matters, is "Yes" and "No."

"Yes" because complex passwords prevent a hacker from guessing your password either across the network or locally on a system. Random password guesses result in account lockout after a limited number of incorrect attempts. This lockout triggers intruder detection alerts and notifies administrators that something suspicious has happened.

"No" because an intruder who has attained administrative access can use some powerful tools to crack the passwords on your system. The hacker will save a system's password and shadow files to a remote location. This procedure allows the hacker to crack the passwords in the safety and leisure of his own computer lab.

Once the hacker collects a system's password files, he can take advantage of password attack options at his disposal. To decrease the amount of time taken to crack passwords, hackers will first try dictionary word matches.

Most users opt for simple, dictionary-type passwords, which make a hacker's life easy, and the return on investment for checking a password hash file against a password dictionary is very high. A hacker can recover dictionary-based passwords in minutes, whereas a brute force attack can take days.

Brute force is a single-character-at-a-time attack on a password file. With a powerful computer and

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • John the Ripper

    Easy to remember but difficult to guess isn’t just a catchy phrase for choosing passwords, it’s the law of the Net. Learn how to check your password using a tool network intruders use every day: John the Ripper.

    more »
  • © Michael Moeller, fotolia.com
    Password protection with Phpass
    How do web applications remember passwords? They don't. They turn them into mincemeat. And Phpass, which encrypts passwords in popular web applications, helps them do so.
    more »
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=