Download the password checking utility John the Ripper from
http://www.openwall.com/john/
into your Slackware virtual machine. You should have the curl
utility installed on your Slackware machine, so give the following command
to download the code:
wget http://www.openwall.com/john/f/john-1.7.0.2.tar.gzUntar and compile John using the following commands:
tar -xvzf john-1.7.0.2.tar.gz cd john-1.7.0.2/src makeThis will print out a list of supported systems. Look for the target for a Linux 2.4.x kernel system in the list then continue compiling using the command:
make clean TARGETwhere TARGET is the one for Linux that was printed out above.
Next, add an account to the system using the command adduser
The account should have a guessable password of at least 8 chars long. Add a
second account with a good password (mix of upper/lower, numbers and symbols
that is 8 or more characters in length). Note that root account has a
guessable password to test the speed of cracking that type of
password so use a dictionary based password for the first account.
Now change to the John binary directory. Then create a local copy of the password file and run John with the following commands:
cd ../run ./unshadow /etc/passwd /etc/shadow > $HOME/passwd.1 ./john $HOME/passwd.1Note how long it takes to crack each type of password. Depending on the time it takes, you may wish to change the passwords on your new accounts with the
passwd <username> command as root. Then rerun the unshadow
and john commands to test how long it takes to crack those passwords. Note
the results you saw in your write-up.
Eugene Spafford wrote an article Security Myths and Passwords about the change in threats to user authentication over the years. Read his article and write a brief discussion of his main points. In particular, does he feel the primary threat these days is password cracking or something else?
Email me your write-up to my Helios account.