Password strength
• The base-2 logarithm of number of guesses
needed to find the password with certainty is
password’s entropy.
• The bigger the entropy, the bigger the
password strength.
• The entropy of string of symbols with
length L, from a set of N possible symbols is:
𝐻 = log 2 𝑁 𝑙 = 𝑙 log 2 𝑁
Password strength
• What is the entropy of a password with length
4 from the set 0,1, … , 9 ?
𝐻 = 4 × log 2 10 = 13.29
• What is the approximate password’s entropy if
above password is a living person birth year ?
𝐻 ≈ log 2 100 = 6.64
Password strength
• Calculate the entropy of following passwords
with length 8:
a)
b)
c)
d)
A password consists of lowercase English alphabets
A case sensitive password
A case sensitive password that may contain a number
A case sensitive password that at least contains one
number
e) What if we change the length of password (c) to 10?
Password strength
• Suppose on average, an attacker will have to
try half of the possible passwords before
finding the correct one. If each attempt for
testing password takes 3 sec, what is the
average required time for finding the
password?
John the Ripper
• It is a free password cracking software tool
• Most popular password testing and breaking
programs
• Initially developed for the Unix OS. Now use in
UNIX, DOS, BeOS and OpenVMS
• Run against several hash type: DES, MD5 or
Blowfish
How to install
• Connect with your computer/server
• Use SSH(Linux) or putty(Windows)
–
–
–
–
Remote Computer: 136.159.222.132
Remote Port: 30067
User ID: admin
Password: aJuGxB
• For Installation
$ sudo apt-get install john
• For unstall
$sudo apt-get remove john
How to Run
• Test John the Ripper (sbin contain the
executable program)
$ /usr/sbin/john –test
• John offers a utility called unshadow, to
create a file from passwd and shadow files:
$ sudo unshadow /etc/passwd /etc/shadow >mypass.txt
• Give mypass.txt as a input of john
$ /usr/sbin/john mypass.txt
How to Run
• Show the password
$/usr/sbin/john –show mypass.txt
• Test the password
$ su username
Password: tst