Context

Password cracking is the process that consists in recovering passwords from databases. Passwords are usually hashed when stored. The basic idea of a hash function is that it takes an input and produces as output a message of a fixed length. (Good) cryptographic hash functions have the property of being very easy to compute, but extremely difficult to reverse, i.e. given the output, it should not be possible to find the input, and it should also not be possible to find two inputs that produce the same output.

In the real world, passwords are sometimes stored in an unsecure fashion, and users tend to choose weak passwords and to reuse them, all of which has consequences on password cracking.

Aim

Crack the passwords of these two /etc/shadow files.

To leak or not to leak

salerio:$1$mjLzhvOp$VtIyglmDjVLXO0g2cNAJl.
margarelon:$1$erIFsKcH$/TOC8S0SPLAit37sUFk/B0
alarbus:$1$ecACRkQG$.wX8HYEA4xzzvepv0eoVa0
aaron:$1$KEzkWFUC$eL4qLFJlseHAHmUNoJhg1/
mowbray:$1$gSouAcPv$1Tn.K13ooMglyK6h2KfLs1
holofernes:$1$qFBfzKoV$f.FgPFprYJX92af8kFq2d0
imogen:$1$SQoifnOx$.T2y8M4EPKUjqZiBi8TJL0
menteth:$1$aeLWmznG$.vYtwScfdrgP0.32Xksns1
petruchio:$1$lYTtciAX$8G8n6txea09tzPyT0CvmJ.
macduff:$1$KJiqLjND$p5CAwmvMQPsiUNtFAOLWH/
artemidorus:$1$AvVxmyXK$v6XuCcLlqJLFOmlnK4Rys.
fleance:$1$JuxytbgR$CzaiUfzwtnJuSiiPImSZI1
northumberland:$1$YIrycHdf$Uxo6OvPyRlwhi3EpTV6zV/
pirithous:$1$FWoOtJcr$.Fd8wASJVYJjV.rDxtM0D.
nerissa:$1$pnusHNzm$cQnrhWj5ajDHpqRnqVF540
parolles:$1$NFauJXBo$qWZzffFBlMvPdshrLhQeC.
launce:$6$SICtrDkm$AQvHbAOKrFJB8Fzz9sx.6IHUv.ZCZhYCPC4Kdamtjrq29OfKOvz/W/h5zR.Y2YcYKdVYQrzeIfRY4eFNklfpv.
panthino:$6$CJaRdPGk$II67nvA36gDffbQ6/7rOHwKLJrdOHn3ZtntT31VNSVyYRqIyTo6FwN9h6OSanKGF9GckE8holoQnEkRkKab3o/
marcade:$6$MlmtzraC$od6sSBuhGdYV75r647WRNIz7hDu3vp.4lG0a3.NhH5LWRKOkPvfAhB4EdqfRbJYz9UQ0QDRFgzGckE7T6jPOv0
sempronius:$6$cizGVvYj$bgLnABgksDTe9XYZ5RoZjOTCqD7ZvaLWJjHa83DyG5sPrRq4PpCTlB8hZWb6FM7SRD9wojwBZN/4nReTkFnK3.
desdemona:$6$VkSFKuZN$rzWt5rtcDO9hnmBXpZqtQvAL.Ku3ZqUqg3rDh0/o.c.XVHu2J1MYluRhsY5ZqukSDrJbBPI8suPfrOvszP92g/
philotus:$6$sIakWrxh$TrL2dCZwoqfdmLtUpJI82WbCzZaA0dggi/4SXIGSoZoSHX4oCaVgrFw3RUrN84CWQcqklL7kkipMvh2xmp3uU1
rosalind:$6$RNyFqYbw$79kceN/aC0jE3RLIhNi801t6hTb4dJrHuTD8qFFgsQdnAOJtvKDUxBWP4valkEN6ViX3ylui0RLfHbHmgvLnf1
proculeius:$6$CcIRBzhK$4c32G0stv79RnJc7fmnx8iKvK1OFm9RAIAxM3zzC3CteqC1qXtUV1bvuP/rz98ZDHKjtiqHeJxWYam6Vq2QeW0
balthasar:$6$ruegsGbY$ymbDwKc8jEZaFZg85on.RViwLcEvbY2q97/7ThKmtgS1vF0FlAWmvCB5L/w23HHRXw2siLrZRCNQK34Uog7NE.
guildenstern:$6$MsPpoCAn$NjuVwL6KfA2ihVD0hZMxSY7gEafi1Kw5iaiur1hFK1UeiHCGz7QZcamOJYjG7llSrAKDbtzxoQsJ744rGC5c20
lysimachus:$6$JCFMaLyq$VIh/8hs5e7xwNYGzo4KV8US7KJrlg99csljKiiw31kKBU3VfophCZV0/U6vdEc.HVzNuJ47rY2xZftAA5DKUL/
alonso:$6$tIoUpGAb$HXdW2Ffv.B2WpgJwSvtuI//OfCnN.ZsD./MpNmC.UD.7dAgQK8tfxqFRKHZATk9JE5QOz5mvdwgLiSo26M4WS.
mustardseed:$6$nBVJtHLS$PpZrbv.qy78c9eFY5AR7Dn/CJo.7btktS/xKBkJb25ez0p6GAK8TR0Sqp9RM92QJQTElOP8j/VWKnZnDjSIrX1
laertes:$6$cEWiUxQg$uNpNB6EW7JC3SsMeSER.6t7dL/Mma1cMW89Oh9eL40dRKF84pxgAqI.N4uBM1wI.wRgb6wpNIu7nRGo7wsZ8A1
hughoatcake:$6$tubFWfyw$LgLyjIOsj6xCbAWLxkg2nHQ9N55lVGIRUJpcZc0krfCRQxiMTnOaG.o7pN30eboZ7De0w4jhlJ6oHSvlaDr0e.
peaseblossom:$6$QhdxekFz$0LwXmAbaP2KOR//5wPkMPnIwz6TXoMAH3sbJpsGI/ObRE3ylOE8kbzbnm/n52kLHFVFXVBo6kwOcnGg6/MsHX/
cadwal:$6$blyizGWp$mvzU67d0qJ2B9KYC9Hm0IySyGBu9Kcmp2qyCNno/GUdiS1nIVU7VKeE1M5dGBnPaLGNecz7Pxu09ubfqJ5xTT.
jaques:$6$zfQSqlMF$HwRB9shPx.MxSlSB654uk1Ne5d6LGiTPmqjITM4lsjJN3W83uA5iyrPB3GBJASMOP2t79rafqaNMPwvvj1PBX/
harcourt:$6$BqHAgpfh$umRG6LyhNWrZ8XKiJZRTVUuO9AWrILEZZNiryHbexf8n/X8Pqoxx8K4v8iLAzgd1qqOPbiKAUpvBXvxV.HQNB1
helicanus:$6$pfMvOZFR$20XKBV6eqmwdY7DZJmAYd0qKRnQcGOrcSnUqRbonBVCfNmJNvlaXSHqp.4.JvScrDfzp9EaHVaA7/yTMJlUMF.
dogberry:$6$uSnKfOqk$R2r4pXHE5dx4BCd0I3zPQMLVulg3ctY/5QDB1L3h/L1TiwfLSDo5eL726bygZVUC2LBv3S8RWR.SS8qINRVEj/

Marvelous passwords

The passwords of these two users leaked:

janefoster:amazing_msmarvel_35
hummingbird:incredible_antman_66

You have access to these hashed passwords:

caroldanvers:$1$dSuoMcJz$P/StAF/tqCtnE27ycmho3.
jessicajones:$1$cvurTLZK$erTdabj0L5W.BM4hdSffZ0
jeangrey:$1$cfICGhAq$tltrAyn1BR71hbBKyuTF40
gwenstacey:$1$bUIfJWrl$3suQ7j7nxzeOHtIHwPv/n0
kamalakahn:$1$NxRHyDMF$b.3VlH3eOl87IdN0gUqMn1
gwenpool:$1$FkpTZjtP$WRp6sosWjSuwC/lz6Gc0N/
medusa:$1$oTKYVDkA$Mt84HC5LNDbO14pkM/P4h/
cassandralang:$1$MBYKAwJq$8QmBB.vtBHLzzEEWAT9kg/

Help!

Strategies at your disposition

Spoiler

RockYou?

Spoiler

We’re bored

I am pretty sure you did not crack all the passwords in the two files, but if you insist, contact me to obtain a real-life leaked database.

Bibliography

During the final presentation, you should summarize these two papers:

• Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, Richard Shay: Measuring Real-World Accuracies and Biases in Modeling Password Guessability. USENIX Security Symposium 2015: 463-481 https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-ur.pdf
• Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman: Of passwords and people: measuring the effect of password-composition policies. CHI 2011: 2595-2604 https://www.guanotronic.com/~serge/papers/chi11b.pdf