Cracking Passwords

HomeNetworks
Juliet Kemp
By Juliet Kemp

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Enforcing password security with a multiple-user system can be a hassle —
users all too often use inadequate passwords. john-the-ripper (also available
via most distros) is a password-cracking tool that enables the identification of
vulnerable passwords before someone with nefarious intentions finds the
weakness.

The first step is to extract the username/password information from the relevant files, using the provided unshadow tool: 

unshadow /etc/passwd /etc/shadow > /tmp/password.db

After that, john has three cracking modes:

  • Dictionary mode, which tests passwords based on dictionary words. You can
    use the provided dictionary or provide your own, and there’s an option to
    enable “word mangling” rules.
  • “Single crack” mode, which uses login names and various
    /etc/passwd values as password candidates, as well as applying

    word mangling rules.

    • Incremental mode, which tries all possible character combinations and
    will obviously take a very, very long time to run. You can change the
    parameters for this via the config file.

    You can run one at a time (in which case, try “single crack” mode
    first), or run all of them consecutively with 

    john /tmp/password.db

    To show results, use 

    john --show /tmp/password.db

    unshadow will produce a password database only on systems that
    use /etc/passwd and /etc/shadow for login. For centralized
    systems, there’s a Kerberos5
    module     available, or the supplied unafs utility extracts
    Kerberos AFS passwords. There’s also a LDAP module.

    Also remember that you can limit cracking attempts
    through measures such as locking out specific IP addresses after multiple failed ssh attempts or limiting the number of times a user can get a password wrong when logging on.

    This article was first published on ServerWatch.com.

    Previous article
    The Fedora-Red Hat Crisis
    Next article
    Microsoft Charges Ahead in Virtualization

    Subscribe to Data Insider

    Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

    Similar articles

    Get the Free Newsletter!

    Subscribe to Data Insider for top news, trends & analysis

    Latest Articles

    Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation’s focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.

    Advertisers

    Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.

    Advertise with Us

    Menu

    Our Brands

    Property of TechnologyAdvice.
    © 2023 TechnologyAdvice. All Rights Reserved

    Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.