How incredibly easy it is to break (weak) passwords
Just a few minutes ago, my fried sent me an encrypted ZIP file and says "This ZIP file contains some artwork, but the password is distributed in a past, live event. And it's the birthday of the artist. 8 digits. Can you crack it?" Apprantly he can't find the password. "Sure" I said. I've learned in my cryptography and security class that 8 digit passwords are really easy to crack. Worst case I can iterate through all the possible combinations with BASH within a day. But I've heard this John the Ripper thing is really good at cracking passwords. So I decided to give it a try.
I dumped the hash with
zip2john file.zip > password.hash and started cracking it with
john password.hash. Firs I saw john decided to use the CPU only and to myself said, well I'll have to go to bed and see what happens tomorrow.
> ~/Documents/not-my-projects/john/run/john password.hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 16 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
But seconds later, just before I lunch
htop to see what's going on, I see this:
Almost done: Processing the remaining buffered candidate passwords, if any.
Oh my. Then immediately (I removed the password and the filename , you hvae to trust me on this):
0g 0:00:00:03 DONE 1/3 (2023-08-03 01:24) 0g/s 16334p/s 16334c/s 16334C/s Ztail1900..Uzip1900 Proceeding with wordlist:/home/marty/Documents/not-my-projects/john/run/password.lst Enabling duplicate candidate password suppressor xxxxxxxx (somefile.zip/xxxxxxx.png) 1g 0:00:00:20 DONE 2/3 (2023-08-03 01:24) 0g/s 2559Kp/s 2559Kc/s 2559KC/s 16212908..Nicole8208 Use the "--show" option to display all of the cracked passwords reliably Session completed.
Boom! I got the password! It took 20 seconds to crack an 8 digit password. On an old workstation CPU! I'm not even using a GPU! And I'm not even using a wordlist! I'm brute forcing!
Just imagine that password is the only thing holding attackers back. Even though I have use very strong passowrds and have a passowrd manager. I'm legit scared by how fast I, a cracking amateur, can break it. I certainly hope that every password in existance are much stronger than this.
That is only until I realized. Credit/Debit card PINs are 4 to 8 digits long. I know, I know, it's different as the secure element prevents you from trying more than 3 times nor dumping the hash. But still, can we have actual, good authentication please? Like TOTP or U2F? Please?
I'm probably overreacting and will be back to normal tomorrow. But.... welp.
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict
- marty1885 \at protonmail.com
- Matrix: @clehaxze:matrix.clehaxze.tw
- Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df