Password Cracking

Question

I've asked this question once before on here and didn't get the answer I was looking for, but I got another method of doing it. so here I go again.

(The problem with the previous found answer was that it was extremely efficient, a bit too efficient. I couldn't count comparisons, and I wanted it to be the most bare bone way of finding the password, so that I can implement a rating system to it.)

I am looking to make a password rating program that rates a password based off of the length of time, and the amount of comparisons the program had to make in order to find the correct password.

I'm looking to use multiple different methods in order to crack the input, ex : comparing the input to a database of common words, and generating all possibilities for a password starting with the first character.

Problem :

I can't find a way to start with one element in a list, we will call it A.

Running A through chr(32) - chr(127) ('space' - '~'), and then adding a second element to a list called B.

For the second loop, set A = chr(32) and B would then run through chr(32) - chr(127). A would then turn into chr(33) and B would run through all characters and so forth. until all possible options have been compared, then for the next loop it would add another element onto the list and continue the search, starting with chr(32), chr(32), chr(32-127). Continuing this pattern until it finds the correct password.

This is the closest I could get to something that would work (I know it's terrible).

while ''.join(passCheck) != ''.join(usrPassword) :


    for i in range(0, len(usrPassword)) :
        if ''.join(passCheck) != ''.join(usrPassword) :
            passCheck.append(' ')

            for j in range(32, 127) :
                if ''.join(passCheck) != ''.join(usrPassword) :
                    passCheck[i] = chr(j)
                    for k in range(0, len(passCheck)) :
                        for l in range(32, 127) :
                            if ''.join(passCheck) != ''.join(usrPassword) :
                                passCheck[k] = chr(l)
                                print(passCheck)

Royce Williams · Accepted Answer

The answer to this question is that you probably want to ask a different one, unfortunately.

Checking password strength is not as simple as calculating all possible combinations, Shannon entropy, etc.

What matters is what's called "guessing entropy", which is a devilishly complex mix of raw bruteforce entropy, known password lists and password leak lists, rules applied to those lists, Levenshtein distance from the elements in those lists, human-generated strings and phrases, keyboard walks, etc.

Further, password strength is deeply rooted in the question "How was this password generated?" ... which is very hard indeed to automatically detect and calculate after the fact. As humans, we can approximate this in many cases by reverse-engineering the psychology of how people select passwords ... but this is still an art, not a science.

For example, 'itsmypartyandillcryifiwantto' is a terrible password, even though its Shannon entropy is quite large. And 'WYuNLDcp0yhsZXvstXko' is a randomly-generated password ... but now that it's public, it's a bad one. And until you know how passwords like 'qscwdvefbrgn' or 'ji32k7au4a83' were generated, they look strong ... but they are definitely not.

So if you apply the strict answer to your question, you're likely to get a tool that dramatically overestimates the strength of many passwords. If your goal is to actually encourage your users to create passwords resistant to bruteforce, you should instead encourage them to use randomly generated passphrases, and ensure that your passwords are stored using a very slow hash (Argon2 family, scrypt, bcrypt, etc. - but be sure to bench these for UX and server performance before choosing one).

References and further reading (disclaimer: some are my answers or have my comments):

Password Cracking

Answers (2)

Related Questions