This project explores the strength of various types of passwords by generating and empirically analyzing datasets of different complexities. The primary goal is to understand the effort required to crack different password types, using various strategies to assess password robustness against cracking attempts.
Password security is a critical area of study in cybersecurity, as weak passwords can pose significant risks to personal and organizational security. This study aims to examine the difficulty of cracking passwords of various types and complexities. Using John the Ripper (JtR), we experimented with multiple cracking strategies on datasets with controlled variations to evaluate the effectiveness of common password-cracking methods.
To analyze password-cracking strategies, we generated five sets of datasets, each containing five collections of 100 passwords with lengths ranging from 3 to 7 characters. This results in a total of 25 sets, with 100 passwords each, amounting to 2,500 passwords overall. Each set represents a different complexity level and contains passwords generated as follows:
- Lowercase Letters Only: Passwords composed exclusively of lowercase letters.
- Uppercase Letters Only: Passwords composed exclusively of uppercase letters.
- Numeric Only: Passwords composed exclusively of numbers.
- Alphanumeric with Symbols: Passwords that include a mix of uppercase and lowercase letters, numbers, and symbols.
- Dictionary-Based: Passwords generated using words from a dictionary, simulating commonly used password patterns.
Passwords were hashed using md5crypt to simulate stored password security, and five different cracking strategies were applied in John the Ripper (JtR), including:
- Dictionary Attack: This approach uses a pre-defined wordlist along with JtR’s rule-based modifications.
- Single Crack Mode: Though less applicable for randomly generated passwords, it uses account-specific information for cracking, which is more efficient than wordlists in some real-world scenarios.
- Incremental Mode: Standard brute-force attack, testing all possible password combinations.
- External Mode: A custom mode that allows additional password generation methods using C code extensions in JtR.
Three specific wordlists were created for targeted cracking:
- Wordlist_1: Targeted towards lowercase and uppercase password sets, containing 6,000 random letter-based entries.
- Wordlist_2: For alphanumeric sets, including a mix of numbers and ASCII symbols.
- Rockyou-75: A popular dataset with over 59,000 common passwords used for dictionary-based datasets.
- Dataset Generation: Python scripts generate password datasets with controlled complexity levels.
- Cracking Strategies: Implemented five cracking methods in JtR, tailored for each dataset type.
- Performance Analysis: Detailed metrics for each strategy, including:
- Percentage of cracked passwords.
- Average and median cracking time per password.
- Total execution time, with a limit set to 90 minutes.
Results were evaluated for each strategy across datasets. Key metrics include the success rate of cracking attempts, average and median times for each password type, and observations on method efficiency. Summary tables and visualizations were created to aid in comparative analysis.
- Brute Force: Effective for short passwords; increasingly ineffective for longer, complex passwords.
- Dictionary Attacks: Fast and efficient if a relevant wordlist is available.
- Mixed Complexity Passwords: The more unique and varied the character types, the more secure the password.
- Number-Only Passwords: These were the most vulnerable, even for lengths greater than six characters.
Graphs highlight the performance of each method, showing that while brute force guarantees success given enough time, dictionary-based attacks are faster for common passwords.
- Python: For generating password datasets and analyzing results.
- John the Ripper: Tool for password cracking.
- Kali Linux: Operating system used for running security tools and managing the cracking environment.
- Carmen Abans Maciel: https://github.com/carmenabans
- Noelia Hernández Rodríguez: https://github.com/Noelia-Hernandez-Rodriguez
- Grade: Received a score of 10/10 for the quality and thoroughness of this project.