Does anyone have any good software to test passwords? All I can find on Youtube is how to break into servers. I was to see how good my passwords are.
I do not want to test them on a website. Can Kali be used?
Thanks
Steve Gibson has this:
https://www.grc.com/haystack.htm
2 Likes
There seems to be a problem with Password Strength Analyzer, it will not let me enter a password. I cannot enter a password into: Enter a password field.
Hmm, I don’t seem to have that issue. Maybe a browser or something blocking the page from loading completely.
Kali linux includes a package called John the ripper.
Its extremely powerful and breaks almost any password. I last used Kali to break my dads machine after he passed so I could pass the data back to my parents estate, it was done in less than 30 seconds. The only tricky part was creating a bootable thumb drive with the image on it, i only had a mac laptop at the time and was out of practice.
You want to test a password before it is accepted when setting a new password? @xMAXIMUSx provided some tools.
If you want to test existing passwords, you need to have access to the file/db containing the password hash values. When you have that access, you need to run a tool that is guessing passwords based on lists and rules. There are many tools that can do it, but the best is hashcat. The problem here is that this needs a lot of computational power. Normally, if you do this as a hacker, or in a company for password strengthening and policy enforcement, you build a custom machine that contains a lot of GPGPU boards. This speeds up things, but it will cost money for building it, and also for continuous power consumption.
Doing this on a standard CPU is not going to be fun at all.
Your problem is not finding the software. Your problem is having not the right hardware.
1 Like
Your dads password must have bean dead easy to guess. We have a custom machine for this and it runs every week in a cycle of 7 days, just to comb through all accounts of the company.
1 Like
I was hoping that I could enter a password into something like John The Ripper to see what it might take to crack it. I don’t want to break into anything.
I know there are website that can check passwords, I don’t trust them. Most of my passwords are created with Keepass and are 100 bits.
Mostly something to fool around with. I have friends that use WAY to simple passwords even though I tell them they need something else…
Thanks
Those password checking websites actually run locally in your browser so they won’t even see it. Even malicious ones what are they going to use the password on as they don’t know for which account unless you also supply it.
If you’re paranoid what you can do is use a password similar what you’re going to use just to test the strength.
Likely it was, I also ran a bunch of other passwords on it and it cracked those as well very quickly, some faster than others. It’s specialty though is cracking windows SAM files and linux shadow passwords. If the documentation is to be believed email server passwords are an option, never bothered with that. The longest I’ve see JTR take to break a password is 30 days.
Don’t let those hacker videos make you crazy. Brute force attacks with that many attempts not only require powerful hardware, they usually also require physical access to a device or file they want to carck, because online services and also login/display managers on modern operating systems have rate limits in place that will slow down login attempts after multiple failed attempts,
For example, to crack a laptop with secure boot and disk encryption, the hackers would need physical access to the device, and then they would have to overcome the hurdles that secure boot and disk encryption presents before they could unleash the full power of their GPGPU on a Windows SAM file or Linux shadow passwords.
My tip for online services: Implement a password manager such as Bitwarden. Tell users to generate passwords with at least 24 or 32 random characters and use 2FA.
For hardware, if you are running Windows, use Secure Boot and Bitlocker, which is usually enabled by default on new machines, and then some 2FA method for the Windows login, preferably with a hardware token / smart card.
For Linux, you can do similar things with LUKS, but it is a more difficult to set up, especially if you wnat to tie it to secure boot and/or hardware tokens.
Configuring LUKS on Linux isn’t too hard. The installer would ask you if you want to encrypt the entire hard drive and it will automatically set it up for you. That is the only time I would make use of full disk encryption during fresh OS install.
I have setup LUKS on external hard drives and it’s PITA so I use VeraCrypt for that.
Yes, you’re right, but it gets hard(er) if you want to tie it to secure boot and/or hardware tokens, or any form of 2FA.
Or at least all the installers of Linux distributions I know only offer to set a passphrase, which I think generally leaves LUKS vulnerable to bruteforce attacks like the ones mentioned in this thread.
Of course, such a bruteforce attack could then take anything from a few seconds to a few hundred years, depending on the strength of the passphrase and the amount and computing power the hackers are able to throw at it. 
I have looked into using YubiKey for LUKS so it wouldn’t ask for a password during boot but the directions on how to set this up is an absolute nightmare and if you get it wrong you’re screwed. So a really long password with special chars is good enough for me.
Maybe in the future the OS installers could incorporate the use of security keys such as YubiKey. I currently use YubiKey Nano that always stay in my laptop. It would defeat the purpose of protecting the hard drive if I forget to remove it.
Although I could use bio-metrics enabled security key but seems only YubiKey have full support for LUKS and their bio-key is friggin expensive. Plus it lacks all the cool features of the YubiKey 5 NFC series.
Yeah they absolutely should do that!
Remember the point I was trying to make, that people shouldn’t get crazy about bruteforce attacks because online services have implemented additional hurdles that slow down bruteforce attacks and 2FA, and also because you can use password managers and therefore actually use strong passwords, or because on hardware there are hurdles like Secure Boot that you have to get over first to be able to attack the disk encryption.
Unfortunately, this is not the case with LUKS at all, at least not in the way that mainstream distributions have implemented it and present it to ordinary end users.
Not that I think how Windows handles this by relying solely on Secure Boot and device security is the best way to do it, but it’s still way better than relying on passwords, for one simple reason:
Nobody wants to type in a 60+ character passphrase every time they start their computer, so users are going to use weak passwords.
At least I don’t use the name of my dog, the birthday of my child, or my wedding date for LUKS. But only because I have no dog, no children and am not married.
If anyone figures out my passwords I will have to rename my kids.
3 Likes
A good password should not have to be tested is my $0.02
Knowledge of how passwords work, precludes the need for tests.
Somewhere between XKCD xkcd: Password Strength
And HashCrack:
You have to start realizing complex passwords do NOT have to be hard, and everything clever you think you could use to avoid that is just leverage against you.
Consider: All you have to do is make a password so sufficiently complex that no knowledge anyone could gain about you would tip off its structure, and favor any vector over brute force. And use MFA. It is absolutely that simple.
From the same length/key/entropy you can derive the following:
GwtR24!#@bgst2!
45+Jam=MyAccess
One is PIA to remember, the other not so, mathematically identical time to crack, but the fact it contains dictionary words making it easier to crack is not sound logic.
Cycling through known word lists and all the permutations of how they could be combined is a crapshoot only marginally more effective than brute force, and only then if the password had been something that followed a common rule like 1CatFi$hGo@t25! where wordlist + l33t + common prefix/suffix special chars/numbers Might yield better results. And when it fails you just added trillions of wrong tried before bruteforce even started, which will almost assuredly repeat what just failed again, as it would be more computationally expensive to try and filter them out of the BF attack! If these methods cannot be leveraged, and no other side channel from OS to Application architecture exists, then the words are meaningless, and could have been the result of randomly pulling 15 char from the pool that landed right there as a random password.
Passwords forced to change will most commonly have a 1 || ! appended to beginning or end but remain otherwise largely the same. leet is the deadliest of “clever” men are more likely to use pet and family names, men more likely to use hobbies and sports, adding numbers to passwords as a requirement averages 2-3 chars more often than not at the end of the string. Successive number sequences ~70% more likely to be targets meaningful dates (anniversaries, graduations, birthdays, etc), and successive numeric sequences largely more likely to be linear groups (like 123 || 789 || 135) or keywalks (like 794613 or 456852) . There is more psychology to successful PW cracking than math and tech. 
The rule there that people will try to associate commonality to randomness is called “the gambler’s fallacy”. That there is a pattern in the noise. When in fact it is just noise.
You cannot decrypt a partial password with a proper hash, so there is no tell there.
And in fact, when you stop to think of things that people do to try and stay random you are creating vectors. Your password policy excludes all english dictionary words between 3 and 12 chars? Cool, I will set my cracking efforts to exclude those. Your password policy prevents a threshold of 35% similarity to the last 10 old passwords? Cool, the old password I tried is changed every 90 days, and is 1.5 years old, still gives me an edge to decrease brute force counts.
Require it be reasonable length, require it have at least 1 char from each of these pools, and teach you users basic password security. Because if that fails it was the user, and any attempts to stop them with patterns vs L/K/E made it less effective. Understand the attacker and their ways, don’t make it easy.
Lastly extremely complex PW requirements enforcing absolute randomness increases the chances people will copy/paste passwords vs retain them. Or store them all in one place under a master password…
I have busted passwords for decades, the weak link is ALWAYS the clever user. And I have done presentations before where everyone chose a random password, we displayed them non-identifying on screen and dug into them. Try it one day, its great fun.
Nutrition for cognition
All good and shiny - As long as you teach only yourself.
If you talk about employees of a company there will always be weak passwords, also with the simple rules you proposed.
Getting people to enact proper password security is simply not possible across all employees. The problem is, that if someone gets hold of the hashes they can crack all the hashes simultaneously, so the weak accounts fall first.
In such a setting you cannot get away without continuous cracking of the user passwords and enforce password change for the cracked accounts.
While I agree, and as I stated above, its a human problem. You can herd them all you want but when it comes to password management, enforcing L/K/E is your only real defense, then it goes to training, the simplest user will out dumb the best admin all day every day.
Password strength and resilience are not measuring the same quanta, in the SAME password.
The point was a password check tool will accurately tell you nothing short of passwords crack-ability by math (strength). All the other contributing factors to password efficacy (resilience) are impossible to determine from the password alone.
Most will however report things like it is weaker because it contains a string of chars that equate to a known pattern. (May or may not be true depending on what it is) or miss it being easy because you used your wedding anniversary and dogs name with a ! at the end. (Which may or may not be true depending on if they can tie the hash to a person and do research)
I cannot fathom how much number crunching power it would be to maintain a self hash cracking program even on the most modest orgs, but I can certainly petition my brass for a cracking rig that will certainly at least be used for its intended purpose on Sundays!