How incredibly easy it is to break (weak) passwords

Just a few minutes ago, my fried sent me an encrypted ZIP file and says "This ZIP file contains some artwork, but the password is distributed in a past, live event. And it's the birthday of the artist. 8 digits. Can you crack it?" Apprantly he can't find the password. "Sure" I said. I've learned in my cryptography and security class that 8 digit passwords are really easy to crack. Worst case I can iterate through all the possible combinations with BASH within a day. But I've heard this John the Ripper thing is really good at cracking passwords. So I decided to give it a try.

I dumped the hash with zip2john > password.hash and started cracking it with john password.hash. Firs I saw john decided to use the CPU only and to myself said, well I'll have to go to bed and see what happens tomorrow.

> ~/Documents/not-my-projects/john/run/john password.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status

But seconds later, just before I lunch htop to see what's going on, I see this:

Almost done: Processing the remaining buffered candidate passwords, if any.

Oh my. Then immediately (I removed the password and the filename , you hvae to trust me on this):

0g 0:00:00:03 DONE 1/3 (2023-08-03 01:24) 0g/s 16334p/s 16334c/s 16334C/s Ztail1900..Uzip1900
Proceeding with wordlist:/home/marty/Documents/not-my-projects/john/run/password.lst
Enabling duplicate candidate password suppressor
xxxxxxxx         (
1g 0:00:00:20 DONE 2/3 (2023-08-03 01:24) 0g/s 2559Kp/s 2559Kc/s 2559KC/s 16212908..Nicole8208
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Boom! I got the password! It took 20 seconds to crack an 8 digit password. On an old workstation CPU! I'm not even using a GPU! And I'm not even using a wordlist! I'm brute forcing!

Just imagine that password is the only thing holding attackers back. Even though I have use very strong passowrds and have a passowrd manager. I'm legit scared by how fast I, a cracking amateur, can break it. I certainly hope that every password in existance are much stronger than this.

That is only until I realized. Credit/Debit card PINs are 4 to 8 digits long. I know, I know, it's different as the secure element prevents you from trying more than 3 times nor dumping the hash. But still, can we have actual, good authentication please? Like TOTP or U2F? Please?

I'm probably overreacting and will be back to normal tomorrow. But.... welp.

Author's profile. Photo taken in VRChat by my friend Tast+
Martin Chang
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict

I run TLGS, a major search engine on Gemini. Used by Buran by default.

  • marty1885 \at
  • Matrix:
  • Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df