Re: Password cracking algorithm

Some points to consider:

As stated, given current hardware it'll take many, many years to crack a password the way you're doing it, so we need another approach.
How do you know the passwords are 16 characters? What about 15, 14, etc? Which characters are you assuming to be in the password?
You have to narrow the possible spread of passwords. Have automated methods of gaining as much information as possible. If passwords are randomly generated, attack the algorithm that generates them. If they're created in such a way to be memorable, take this into account. Obtaining the target's password generation policy would obviously be a major advantage (remember, insiders can perform the attack as well).
Have you considered alternatives? Some of them aren't that great, but given your approach they would probably be a good starting point. Check out John the Ripper for one of the better ones.
How is this going to run undetected? That's a much greater problem. Proper logging is essential to security.
Finally, are you focusing too much on password cracking? Often there are many weaker points of entry you can exploit. If passwords are truly randomly generated 16-char (alpha-U/L, numeric, punctuation/symbols) strings, you're not going to be able to crack them and will have to find a different point of entry.

If you're looking for a general security resource, you should take a look at Practical Unix & Internet Security, 3rd Edition, it's a damn good book, one of the best I've ever read on security.

Best of luck with the security company :)

Comment on Re: Password cracking algorithm

Replies are listed 'Best First'.
Re: Re: Password cracking algorithm by waswas-fng (Curate) on Jul 22, 2003 at 04:19 UTC
A few more points: The only reason you would need to check all possible passwords is to crack a password -- if you are looking to test security check for weak passwords (dictonary words). There is no other reason to try such a silly task. The only ways someone would be able to crack a password on your system are If they know a user name, if they have access to the file or store that contains the password, or have unfettered access to "try" passwords against that store. Look to stop these 3 things and find weak passwords and you are as secure as you can be (password wise at least) -Waswas	[reply]

Replies are listed 'Best First'.

Re: Re: Password cracking algorithm
by waswas-fng (Curate) on Jul 22, 2003 at 04:19 UTC

The only reason you would need to check all possible passwords is to crack a password -- if you are looking to test security check for weak passwords (dictonary words). There is no other reason to try such a silly task.
The only ways someone would be able to crack a password on your system are If they know a user name, if they have access to the file or store that contains the password, or have unfettered access to "try" passwords against that store. Look to stop these 3 things and find weak passwords and you are as secure as you can be (password wise at least)

-Waswas

[reply]