The idea for this assignment came from a similar assignment given by Benjamin Kuperman at Oberlin. (His original assignment can be found here.) Below is a list of standard Unix password hashes created using the crypt() function. Each password was hashed using DES and a two character random salt. Your goal is to recover as many of the passwords as possible.

nliI/R6GClMw2
yiGqh0OTvBj8o
vc8CMms1UB41Y
wpM8DVmvzYLC.
cb897EaMgDZy6
xyAjYtmfRYx/.
oxYtE07ntqiNs
ezab2lG5gNQL2
ha.kzD90q26XQ
njIddUiUmUf5A
teSNtHJCWzdFI
isy1Oova93Uio
oj6dDRMGOyJWI
udM9N8VuZSi7k
pbJVp10W8c4EM
xsW3DhWj0EEig
oc27WbSsyBNVQ
fjNrHXRz4yMo.
yphqNfQI.ZMA2
cfl65oc9271eM
rfEBKdD/kyB2E
cn8pK1Cu6sf3s
iaHGuJ9KMUEc.
neCtbwtspkCqg
mvL738D.qP0lk
crtNeOLwU.6Hw
wk9IMt05XJydg
peKJaPFsM79.w
lmDaDtYMvMFHo
pjg.H4fBCz4Hc
yySJT8jalGB1I
gpuFQkMQz0.mU
hbuVyjyjVsv7c
rtMsnWejyfxYg
uj//U1qOTr.IQ
ylL0NGSvqBYXA
psqR6GiL7dkgU
ghRcwpi3ZurMo
duDsLefD2mjUU
rgaroy9F2zvIw
wxOCYKHJaB0io

To do this I'm suggesting you search the web to find an appropriate password cracking program. There are a number available each with different characteristics. You might want to test a few to see how easy they are to use, how quick they break simple passwords, etc. You probably also want to try different dictionaries before starting a full brute force search.

Some other recommendations:

• Start soon! Many of the passwords will be broken quickly but the rest will require a large search and this will take a lot of computer time.
• You probably want to find a program you can start and stop and have run in the background. To guess the longer passwords is going to take a long time and you will need a way to use your computer while still cracking.
• Work in teams. Teams of any size are fine with me (including the whole class!). If you can figure out a way to split up the work its likely to increase your chances of getting the hard ones.
• Consider guessing. Remember I came up with this list and I'm not random. At least a few of the longer passwords are not in a standard dictionary but are fairly easy to guess.

To be handed in : A short report containing the following information:

• A discussion of what cracking tool or tools you ended up using and why. This might include a discussion of how easy they were to use, what recommendations you read on the web, how fast they appeared to be in tests, etc.
• A discussion of what dictionary or dictionaries you used and why.
• An estimate of how much computer time was devoted to running the cracking tool or tools.
• A list of the passwords you were able to break.
• Any conclusions you might want to draw from this exercise like what passwords were especially easy and which appeared to be the hardest. Did this effect how you might choose your own password?

Report problems to dkrizanc at wesleyan.edu