Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!bionet!apple!vsi1!wyse!mips!prls!philabs!linus!community-chest!ccel
From: ccel@community-chest.uucp (CCEL)
Newsgroups: comp.unix.wizards
Subject: Re: Wanted: program(s) to check user passwords
Keywords: passwd, password, crypt
Message-ID: <60177@linus.UUCP>
Date: 15 Jul 89 21:09:07 GMT
Sender: news@linus.UUCP
Reply-To: ccel@community-chest.UUCP (CCEL)
Organization: MITRE-McLean Software Engineering Laboratory
Lines: 29

In article <576@targon.UUCP> andre@targon.UUCP (andre) writes:
> ... I was thinking
>about running a program each night checking passwords on the system
>(by guessing or something like that) and warning users who choose to
>simple passwords.

I have the source to a program that a friend of mine wrote to hack the
passwords in a unix system (I'm posting this in case anyone else is
interested). It uses the crypt() function, which is also used by the
passwd utilities. The workings of crypt are various and sundry, and
unfortunately very very slow.

The program works by reading in the "salt" (two 6-bit words) for a user
from the password file. This is the encryption key for tha passwd, out of
64 possible. It then grabs words from the dictionary (I used the dict-
ionary just because it's a big list of a lot of words; you could probably
make your own list of common passwords or whatnot), encrypts a word using
the same salt, and compares it to the password. It reports any match(es).

Like I mentioned, this is horribly slow, even with one user on a fast system
it might take hours to find a match. But that is with a list of 24000 words.
I'll e-mail you the source and maybe you can find a way to play with it to
speed it up. If anyone else is interested, just drop me a note and i'll give
you a copy.

-------------------------------------------------------------------------
Randy Tidd
ccel@community-chest.UUCP
rtidd@mitre.arpa