Demonstating password cracking
December 3, 2008 6:51 AM   Subscribe

I need a utility or small program to demonstrate password cracking.

At work we're organising a day of "educational" games for 14-15 year old students. My game aims to teach them about safe online behaviour including importance of anti-virus software, not giving out personal details, etc.

One of the things I want to show them is the importance of good passwords. I plan to have them enter a password on the computer at the start of the session and then attempt to crack their passwords during the 25-minute session to (hopefully) demonstrate that weak passwords are bad. Essentially I want a program that will allow us to enter some passwords and then start trying to crack them.
  • The machine we'll have access to will be a fairly high spec laptop, 2.6GHz and (I think?) around 10-15 GFLOPS. There is a possibility of being able to tap into a mainframe and use that computing power to crack the passwords, but I'm not sure if that's going to happen.
  • For the laptop I'll probably need something that will run on Windows; Unix or z/OS for the mainframe. I'm prepared to do a bit of fiddling/scripting to get it to work as required.
  • Some kind of visible output would be nice on the screen while they're getting on with the other tasks. Not essential, but it will show them that it's doing something.
So, how feasible will it be to crack one or more passwords (entered by 14-year-olds, but nonetheless) in around 25 minutes? And how can I do it?
posted by bent back tulips to Computers & Internet (13 answers total) 8 users marked this as a favorite
 
lophtcrack is what my CS professor used to demonstrate the concept--although it's been bought up now and apparently only available on torrents. I recall its being shockingly fast. John the Ripper (Windows/Linux) is another popular option and open source.
posted by phoenixy at 7:02 AM on December 3, 2008


John the Ripper is your best choice. Make sure you seed it with a good dictionary file, including words that are relevant to your audience.
posted by These Premises Are Alarmed at 7:21 AM on December 3, 2008


top 10 password crackers

You might want to be careful with this.

Username: RobertSmith password: ILoveBeth

or something like that would be embarrising.
posted by bdc34 at 7:22 AM on December 3, 2008


Username: RobertSmith password: ILoveBeth

Actually, that would be a perfect lesson in not using passwords that are relevant to your life. You dogs name, phone number, girlfriends name, etc are some of the easiest passwords to socially engineer.
posted by COD at 7:38 AM on December 3, 2008


If the goal is to develop safe online behavior maybe some sort of hybrid demo might be more appropriate to show that even a good password / passphrase can be compromised if you do something dumb - like accepting an invalid SSL certificate on a site that should have a valid cert (online banking, etc.)

Maybe something like Cain & Abel (running in an a man in the middle attack mode with the ARP HTTPS module) to demo capturing even the most complex password for what ever social networking site the kids use today.

Also, speaking from experience, demos of security software always seem to fail at the worst moment. Maybe have a really simple demo as a backup - like "breaking" the password on HTTP basic authentication (a bit of a cheat given its just Base64 - but quick, easy, and pretty much fool-proof - you could whip up a quick website with it on as a demo, or just use one of the online javascript HTTP basic decoders or Cain and Abel to do the same).

Of course I wouldn't want a whole lot of 14-15 year olds on my network fooling around with Cain and Abel....especially if the network is attached directly to the mainframe you mention.....
posted by inflatablekiwi at 7:42 AM on December 3, 2008


Response by poster: Thanks, I will check out the suggestions made - it's good to know where to start. I was pondering about displaying people's passwords afterwards, to point out which were weak and which were good, but I would remove the usernames from the list if I did that. (Of course, ILoveBeth would still cause embarrassment, so...)

And no, I'm not going to let them loose on a network! I'm trying to have them use the computer as little as possible really, less for security reasons and more that it's hard to play as a team when there's one person "driving" the computer. They will be monitored on the few occasions they use the computer.

Further suggestions are welcome, thanks.
posted by bent back tulips at 8:40 AM on December 3, 2008


You also may want to mention good password policies. Some idiots think it is best to force you to change your password so frequently, and limit the number of reusable passwords that in many businesses the passwords devolve into 'businessname1', 'businessname2', 'businessname3', etc. Or even worse 'myname1', 'myname2', posted on a post it note attached to the monitor.

Good password policy should be a lengthy password made up of a compound word or phrase that does not appear in a dictionary, and includes upper and lower case and numerals. i.e. 1ceF0unta1n. You should also allow users to keep passwords for a reasonable period of time to encourage more creative passwords.
posted by Gungho at 8:50 AM on December 3, 2008


You could find and download some Windows Rainbow Tables (http://en.wikipedia.org/wiki/Rainbow_table)

That would crack any password they try in a few minutes (under 16 chars)
posted by mattdini at 10:36 AM on December 3, 2008


Good password policy should be a lengthy password made up of a compound word or phrase that does not appear in a dictionary, and includes upper and lower case and numerals. i.e. 1ceF0unta1n.

That's a poor password which isn't much better than just "icefountain". John knows how to transform words into 1337-speak words, and hence can crack them too.
posted by philomathoholic at 11:37 AM on December 3, 2008


Sorry but what you are proposing is not only a bad idea but pretty unethical. You cannot ask someone to make an account on a system only to reveal their password to others. Most likely the password these kids enter will be the same as their email or banking passwords. Guess who gets sued when the other kids log into these accounts? You.

What you should do is get a laptop and ask them to pick a few passwords out loud. Specify these cannot be current or past passwords they have used. Create user accounts for all of them. Now download a DVD of 4.7gigs of bootable rainbow tables-based cracker and see how long it takes to crack them. You may want to seed this machine with weak passwords like "password" or "secret." You should probably also seed a tough password to show them how long or if it can be cracked via this method.

You can leave the screen on so the kids can watch the progression as passwords slowly get cracked.
posted by damn dirty ape at 11:58 AM on December 3, 2008


Ahh, John the Ripper. Back in the day...let's see, 1998 maybe?, this guy I know who looked an awful lot like me used a PI 133 laptop conspicuously like mine to grab .htaccess files from porn sites to get the password lists, and then I'd decrypt all the passwords and usernames and sell them to college freshmen on my dorm. I mean he would. Yea, it was definitely him.

I could crack about a thousand basic passwords in about 10-35 minutes with John, and that was on my PI-133 running Windows 98.

I'd be inclined these days to rip apart someone's WEP signal to demonstrate both the mechanics of the crack, the vulnerability, and the need for secure passwords and security vigilance.

a school district once hired me to teach basic web design and computers/security to teenagers. They didn't bother to give me a special account from which to teach, they just pulled me aside and said "Ok, your login is going to be "admin" and the password is really strange, it's "posys". That, of course, being the login/password combo that gave access to all...ALL...files and accounts on the network, including grades, etc.
posted by TomMelee at 6:57 PM on December 3, 2008




My idea was that icefountain is not a word found in the dictionary. A compound word, or nonsense word offers the best protection, well maybe except an anagram of a phrase.
posted by Gungho at 7:46 AM on December 9, 2008


« Older Get your money for nothin' and your vintage images...   |   Boy requires more conclusions in writing. Newer »
This thread is closed to new comments.