Using the John the Ripper password cracking tool evaluate th

Using the John the Ripper password cracking tool, evaluate the current strength of account passwords on YOUR PERSONALLY OWNED COMPUTER SYSTEM. Provide a brief discussion (approximately 200 words) of your computer’s current vulnerabilities from a password perspective. Include recommendations for improving your password policy.

Solution

Solution:

             High-quality password cracker that can run on more environments is John the Ripper, one of the best tools today focused only on password cracking. John the Ripper (called John for short) is a free tool developed by Solar Designer, who wrote the nonexecutable kernel patch for Linux to defend against stack-based buffer overflows. Although John is focused on cracking UNIX and Linux passwords, it has some extended modules that can crack other password types, including Windows LM representations and NT hashes.

John runs on a huge variety of platforms, including Linux, UNIX, Windows of all kinds, and even the ancient DOS platform. Yes, you can dust off that old DOS system and use it to crack passwords.

Linux and UNIX Overview, UNIX systems store password information in the /etc directory. Older UNIX systems store encrypted passwords in the /etc/passwd file, which can be read by any user with an account on the system. For these types of machines, an attacker can grab the encrypted passwords very easily, just by copying /etc/passwd.

Most modern UNIX variants include an option for using shadow passwords. In such systems, the /etc/passwd file still contains general user account information, but all encrypted passwords are moved into another file, usually named /etc/shadow or /etc/secure.

password policy:

     A strong password policy is a crucial element in ensuring the security of your systems. Your organization must have an explicit policy regarding passwords, specifying a minimum length and prohibiting the use of dictionary terms. Passwords should be at least nine characters long, and should be required to include nonalphanumeric characters. In fact, I prefer having a minimum password length of at least 15 or even more characters. I know what you are thinking: \"There\'d be riots in the cubicles if I configured a minimum password length of 15 characters!\" However, we need to get our users out of the mindset of having passwords, and move them into the notion of passphrases.

if you set a password to 15 characters or more, the system will not store a LM hash at all for that password, instead relying solely on the stronger NT hash in the SAM database.

     Passwords should have a defined maximum lifetime of 90, 60, or 30 days, depending on the particular security sensitivity and culture of your organization. I tend to recommend a 60- or 90-day policy, because, in my experience, users nearly always write down passwords that expire every 30 days on sticky notes. Of course, your culture might vary. Finally, make sure that your password policy is readily accessible by employees on your internal network and through employee orientation guides.

Password Filtering :

                              Make sure users do not select weak passwords, you can use password filtering tools that prevent them from setting their passwords to easily guessed values. When a user establishes a new account or changes his or her password on a system, these filtering programs check the password to make sure that it meets your organization\'s password policy With this kind of tool, users are far less able to create passwords that are too easily guessed.

                 A final very important technique for defending against password-cracking tools is to protect your encrypted or hashed passwords. If the attackers cannot steal your password file or SAM database, they will not be able to crack your passwords en masse. You must carefully protect all system backups that include password files (or any other sensitive data, for that matter).