Audit passwords with a password-cracking tool

Auditing passwords is a worthwhile venture, particularly in an environment that deals with sensitive information. Because systems encrypt passwords when they store them, you really can't properly judge the strength of a password unless you try to crack it.

We suggest using a password-cracking tool such as John the Ripper. This tool works extremely well because it can crack MD5 passwords, which most systems currently use. In addition, it's much faster and more sophisticated than earlier password-cracking software such as Crack.

Once you've installed the tool, either from RPM or by compiling a copy yourself, you can set it to work. Keep in mind that John the Ripper uses a fair amount of CPU, but it will only use idle CPU time. However, copying the /etc/shadow file to a nonessential machine and running the tool on that, rather than a production machine, wouldn't be a bad idea either.

If you need to stop John the Ripper, press [Ctrl]C. You can resume cracking passwords from where you left off by using the following:

$ john -restore

This tool comes with a fair-sized dictionary of common passwords, which it uses by default. However, you can download any dictionary you want to use instead of or as complement to the existing dictionary. All you need to do is concatenate the default.lst file to the new dictionary.

In addition, it's a good idea to add words that are specific to your particular environment, including employee names, addresses, company name, etc.

To use a different dictionary than the default, use the following:

# john -wordfile:/tmp/dict.txt /etc/shadow

This runs John the Ripper against the passwords in /etc/shadow using the dictionary /etc/dict.txt.

To download the John the Ripper password cracker, visit the Openwall Project Web site.