0

We're doing a password audit by loading the password file into John and letting it run for a couple of days.

One of the first questions I got in the remediation class was "How long did it take to crack my password?" According to a password calculator the guy used, his password should have taken over a century to crack, but John guessed it relatively early.

Now, my manager is asking me to record how long it takes for each password on the next audit round, but I'm letting it run when I'm not here to observe and record.

Any suggestions on a way to record the time? I'm doing this on a Kali Linux cluster.

guntbert
  • 1,855
  • 2
  • 18
  • 21
Eryn Kaeberle
  • 3
  • 3
  • 3
    Why is Kali relevant? – Hector Dec 15 '17 at 16:55
  • 2
    Depends on the wordlist you're using, surely? "Correct Horse Battery Staple" would take 5 decillion years, according to https://howsecureismypassword.net/ but it's in a lot of wordlists now... – Matthew Dec 15 '17 at 17:00
  • Uh - how are you getting the users to give you their passwords? This appears to be a far bigger problem than easy-to-crack passwords ... – schroeder Dec 15 '17 at 22:47

3 Answers3

2

John the ripper logs its activity to stdout. If you note that it's cracked a password, you can terminate the session with a ctrl-C.

The log file .john/john.log will note the account(s) that have been cracked, with a timestamp. Grep that for 'Cracked' to turn those up.

Dr. Edward Morbius
  • 164
  • 5
  • Well, but, john doesn't work on passwords one at a time, so that doesn't really help you tell the manager anything sensible, now does it? – SamB Feb 28 '23 at 00:12
1

With regards to password calculators see here - https://security.stackexchange.com/a/175006/76546

Now, my manager is asking me to record how long it takes for each password on the next audit round

This is entirely pointless. It depends entirely on the approach used. With a dictionary attack you often use an alphabetically sorted password list - meaning the password "zzz" would be one of the last passwords you reached (hence taking longer) whilst the password "aaalojryd" if present would be one of the first.

If using an ascending brute force the "mypassword1" would take substantially longer than an entirely random 9 character password.

It is also massively hardware dependent.

Any suggestions on a way to record the time?

If you (or your manager) insist on doing this i'd suggest a good enough approach would be to estimate. You can work out how the software is picking phrases to try and work out how far through the cycle it would take to get to the found phrase. Then by comparing this to the total run time you should be able to make a reasonable estimate.

Hector
  • 10,923
  • 3
  • 41
  • 44
1

Be careful, especially if your user is important. They are trying to lay a trap for you, in order to deflect the blame for their lack of concern for security.

You discovered their password. Simply provide your clients and security team with that fact. "I ran a widely available password cracker and your password was one of those that it easily recovered."

Don't let them get away with "but it took you two days" kind of stuff. That's about the weakest excuse possible; especially since many attackers hide inside breached networks for a month or more before exfiltrating their data.

John Deters
  • 33,897
  • 3
  • 58
  • 112
  • While not a direct answer of the question, is very relevant. Especially as a real attacker may have either a) more time or b) better hardware. – ewanm89 Dec 16 '17 at 00:09