Cracking passwords
Learn some good password hygiene and use John the Ripper to compromise those who don’t bother.
People and passwords were never a good mix. Users continue to reuse passwords (or use easily guessed variations of them). Site admins (or the software that runs their sites) are generally good at no longer storing passwords in plain text. Instead, hashed passwords (where an easy-toapply but hard-to-reverse function is applied to the password) are stored so that nosy sysadmins can’t see your password. We should also note most sites have stringent (sometimes pointlessly so) requirements on length, capitalisation and special characters.
Besides hashing, it’s de rigueur to store a random ‘salt’ value alongside the password and use both as inputs of the hash function. These hashed and salted passwords ensure that even if two users have the same password, the stored image of it is different. So, anyone trying to crack a bunch of salted and hashed passwords stolen from a database breach doesn’t get access to several accounts if they find one careless user using password1. Unfortunately, advances in CPU and GPU tech mean that such hashes can be bruteforced at several million attempts per second.
This is why guidance on password length has gone from eight characters (around 50 bits of entropy if you want to get technical) a decade ago to sites mandating 12 characters (80 bits of entropy) today. We couldn’t have this discussion without first referring you to https://xkcd.com/936. That should illustrate why most people are bad at passwords, and why you should use a passphrase or trust your password manager instead.
An attacker isn’t going to get far if they start trying to brute-force credentials directly into a website. That site should notice all the failed attempts and block the chancer’s IP for a period of time. Instead, attackers rely on exfiltrated lists of usernames and password hashes that they can bang hardware against with impunity.
To help with password-cracking, Kali Linux includes the popular RockYou wordlist, a compressed text file containing some 14 million words. Password crackers such as Hashcat or John the Ripper (see the box, below) can use this or other wordlists either directly (in wordlist mode) or by combining different words and applying common mutations (such as exchanging number 0 for letter o). This latter more powerful mode is known as dictionary mode.