Passwords represent the last and, in most cases, the only line of defense. For this reason students study several aspects of password security. What differentiates a bad password from a good one? What single aspect of a passphrase makes it much more secure than the supposedly secure 8 character p@55w0rd using l33t? The answer to these questions lies in John the Ripper (JTR) a password auditing tool.
Cracking passwords is mathematical process that takes time – a lot of time. I’ve seen JTR hammer away at passwords at 50,000,00 to 400,000,000 possibilities per second on a standard desktop or laptop system. That’s an amazing number, but given a solid, complex passphrase like “This 2 is a complex password!” a brute force attack has 7.29x1053 possible combinations. At the top end, banging through 400 million combinations per second, it would take 5.78x1037 years to try all the possibilities. For this reason, there’s no room for wasted time or extra effort.
JTR offers practitioners of the security art an abundance of options. When students take their first shot at this assignment they tend to go overboard with options. In class I often cite Occam ’s razor and this is key to the assignment. The assignment is straightforward. It doesn’t require a complex series of steps or exhaustive solutions. A student’s life is hectic enough without busy work from my course. In the words of Albert Einstein, "Make everything as simple as possible, but not simpler."