[oss] Password cracking by Radu Caragea

Razvan Deaconescu razvan.deaconescu at cs.pub.ro
Tue Dec 16 13:56:12 EET 2014


Hi!

For those of you that were at lecture #10 yesterday, you remember Radu
Caragea taking a picture of the password hash in /etc/shadow for the
user 'laura'. The password was quite simple (it was 'tutu'); I update it
;-)

Radu managed to crack it that evening. He did a dictionary attack (had a
list of words) computed the SHA-512 hash and then compared the results
against the first characters in the password hash in /etc/shadow. As the
password was really simple, it was really easy for him to crack it.

So, be advised:
i) Use strong passwords (easy to remember, hard to guess, and with enough
entropy to make a brute force and dictionary attack unfeasible)
ii) Take good care of your password database. Even if passwords are only
stored in hashed form, they may still be easily broken if step i) is not
done properly. And since you can't control all your users, you must
assume some would use weak passwords.

Razvan


More information about the oss mailing list