4

I am using John the Ripper to crack passwords in a copy of the passwd file at my work. I want to alert users that have weak passwords. I happen to know that many accounts have the default password which is different for every user but matches a specific pattern.

Let's say this is the default password format:

'[2nd and 3rd characters in username]cc\d\d\l\l'

where c is a constant (the same in every password), \d is a single digit (0-9) and \l is a single lowercase letter.

How would I write a custom rule in john.conf that would check all hashes for all combinations that fit this format before trying anything else? I've tried to figure it out myself but I can't find any good documentation.

jamesbtate
  • 567
  • 2
  • 6
  • 14
  • I think a better use of time, would be to notify the users of a change in policy and adjust your password complexity requirements accordingly. – DanBig Jan 19 '11 at 18:29
  • for the time being, that isn't possible. some of the more senior admins are very set in their ways – jamesbtate Jan 19 '11 at 18:36
  • @Dan - But that's not fun. – Cody Harlow Jan 19 '11 at 18:38
  • 2
    Wouldn't it be easier to just force an organization wide password change? If you don't have any enforced password policies, then people have bad passwords. Trying to deal with them individually seems silly. – Zoredache Jan 19 '11 at 18:38
  • I'd have to agree with others sentiments...the approach to the problem here is akin to using a screwdriver as a hammer. It may work, but it's not the proper solution. – Bart Silverstrim Jan 19 '11 at 18:42

1 Answers1

2

I agree with the other statements here. However, in my opinion, it would be so much easier for you to "echo defaultpassword | md5sum" and grep for that string in /etc/passwd than try to crack every password. Just to answer your question to find users who have not changed their default yet. Why would it not be enforced to change on first login anyway?

John
  • 36
  • 1
  • Our system is Solaris NIS and it was set-up back in the Solaris 8 days when password ageing wasn't easy to get working. Nowadays we're on Solaris 10 where it is fairly easy but none of the other admins see the need to change their scripts and stuff to implement it. check&+1 because I'm gonna end up doing basically what you said in Python. – jamesbtate Jan 20 '11 at 16:03