Next, add an account to the system with a pronouncable password of at least 8 chars long and an account with a more random password (mix of upper/lower, numbers and symbols 8 or more characters in length). Note that the 'student' account and root account both have a dictionary word based password to test the speed of cracking that type of password. Create a local copy of the password file with the command:
unshadow /etc/passwd /etc/shadow > passwd.1Run john on this local file with 'john passwd.1'. Note how long it takes to crack each type of password. Depending on the time it takes, you may wish to generate a few more types of pronouncable and random passwords to test the time it takes to crack them.
Eugene Spafford recently wrote an article Security Myths and Passwords about the change in threats to user authentication over the years. Read his article and write a brief discussion of his main points. In particular, does he feel the primary threat these days is password cracking or something else?
Email me your writeup to my Helios account.