How strong are my passwords?

I think the passwords I use are pretty strong. They’re long, random, alphanumeric, and special characters. I know it’s possible to crack passwords, given enough time, so I thought I’d give it a try. I’m curious how long it’s going to take to crack.

I’ll be trying to crack my Windows 7 password and my Mac OS X password using the infamous John the Ripper.

JtR

If you want to try this out yourself, you’ll want to use the latest revision (7 at this time) of the Jumbo patch. For the Windows download, you’ll also need to download cygz.dll (there’s a link below the Win32 download) and extract this dll to the /run directory of John the Ripper. For the Mac version, just download the Universal binary.

Hashes

To extract password hashes from the SAM file on Windows 7, you’ll need PwDump7. It’s very likely that your virus protection (Avira AntiVir reports it as TR/Gendal.77824.CI) will report this as a virus/trojan of some type, you can safely ignore this and just ensure that you are indeed downloading it from the author’s website (the link above). You can also verify the downloaded exe hash provided in the ReadMe of PwDump7. You’ll need to run PwDump7.exe as an Administrator. I tried fgdump to dump the password hashes first but it wouldn’t ever output anything, even running as Administrator. If PwDump7 doesn’t work for you, try fgdump.

Mac OS X 10.6 Leopard implements a pretty standard shadowed password file put in a non-standard location, with a file per user instead of a global file like /etc/shadow. Use this script I wrote called pwdumposx to dump the password hash of the current user.

#!/bin/sh
#pwdumposx - thexploit.com
cmd="/usr/bin/xpath"
path="/var/db/dslocal/nodes/Default/users/"$SUDO_USER".plist"
args="//key1/following::array/string/text()"
guid=$($cmd $path $args 2>/dev/null | cut -c1-36)
cat '/var/db/shadow/hash/'$guid | cut -c169-216

Run like this

nobody@nobody:~$ chmod +x pwdumposx
nobody@nobody:~$ sudo ./pwdumposx

Once you have the hash, you just put it in a new file as user:hash and feed the file as input into JtR. If you want status from JtR, press <Enter> and it will output current status. It might take a really long time.

Current Cracking Status for my Passwords

The Mac is a Core Duo with 8 gigs RAM
The Windows 7 is an i7 with 12 gigs RAM

Update 1

• Mac OS X: 3h 26m elapsed, guesses 0
• Microsoft Windows 7: 2h 12m elapsed, guesses 0

Update 2

• Mac OS X: 14h 31m elapsed, guesses 0
• Microsoft Windows 7: 13h 16m elapsed, guesses 0

Update 3 – FAILED

• Mac OS X: 1d 1h 31m elapsed, guesses 0
• Microsoft Windows 7: 1d 16m elapsed, guesses 0

Unfortunately it’s difficult for me to tie up my computers for more than a day so I’ve stopped both of them near the 1 day mark. The good news is that, as far as brute-forcing goes, my passwords would likely take sufficient time to crack. This just reiterates the fact that non-dictionary random passwords are a must. Maybe if I’m able to get some high powered server resources I’ll rerun this experiment for a week.