Assignment 1: Authentication and Password Auditing


This is a two part assignment. In the first part, you'll conduct a password audit using John the Ripper on a set of password hashes.  In the second part, you will create password policies for two groups. Below you will find an example policy you can use as reference and help with your own research. You can and should also use the textbook, the Internet and, most importantly, your own cleverness to create these policies. If you find any good information that you want to use as reference, use your understanding in your own words with a citation for the source. Wikipedia can be a useful spring board to legitimate sources, but Wikipedia itself is not a credible source.


The assignment is not meant to demonstrate your password cracking ability, but to demonstrate that you know how to run a password audit and recognizing the importance of good passwords and policies.





Your deliverable is a professional quality paper in one PDF preferred, but Word format also accepted, that includes the following sections:


1. minimum one page letter to Mr. Avenal that explains what you were requested to do, what you did, what you found, and the possible implications of continuing the use of current password policies


Note that Avenal is paying you and so  Your letter should be written in business style with little-to-no technical terminology

Reference Sites:


2. Two sets of password policies, one for each organizational unit as listed in the Avenal letter

Justify why you suggest using password policies for each organizational unit. Note the two organizational units are very different. Should or shouldn't they differ? You can be as technical as you like with this section Perhaps the highly sensitive information should be protected with two-factor authentication.

3. A table that includes the usernames and for each, Method used to break the account (If dictionary, include the dictionary used ), and Why the password was broken (Too short, Used in a dictionary, etc) See example table below

4. The URL or location of the additional password dictionary used


Make sure this all goes in ONE document, either a Word document or a PDF.


5. Your john.log file. This file is located in a hidden .john directory off your home directory. Full path: ~/.john/john.log. I want the full file not a screenshot or a copy/paste text, but the actual file submitted. Without this file, you will not receive credit for password audit portion of the assignment.




Example table:


Username  Password  Source  Why? 
a1  a12013 single  combination username and year
b1  X (not broken) 
c1 hello dictionary - common passwords dictionary word
d1 abcxx brute force too short, only uses lower case alphabet
... ... ... ...
z2 alkotyellenesnek
albanian dictionary dictionary word






John The Ripper Details


You do not have to perform a manual installation of John in Linux!


John is super easy to install in Ubuntu/Mint/Debian-based systems: 'sudo aptitude install john'.


You do not have to perform a manual installation of John in Linux!


You have been provided several password dictionaries you may use and you should use them; I'll know if you don't. Additionally, find and use at least one additional password dictionary other than the foreign dictionaries provided. You may want to Google for 'commonly used passwords. COUGH hint, hint COUGH. There should be quite a few results for the Top X Passwords where X is a number between 1 and Too many; some employees may be using some of these common passwords.


Feel free to post links to good dictionaries you may find on your own in the General Discussion or Assignment 1 group. If you alter John's rules and want to share that information, that's fine as well. Do not share broken accounts/passwords for the assignment; that will result in a zero.



Getting Started


Unshadow the passwd and shadow files:


unshadow passwd shadow > unshadowed 



Run John first in Single mode


john --single unshadowed


Break a password or two? Huzzah!  Now, for the dictionary files including the additional dictionary you found. You should make a copy of the found dictionary as all upper case by running this in the terminal:


tr '[:lower:]' '[:upper:]' < yourFoundDictionary > uppercase.dict


The tr command is a text manipulator utility which we are using to change all lower case characters in the file, convert them to uppercase, and then redirect those changes to a new file called 'uppercase.dict'. Using this may or may not find any additional passwords as it's possible you may have broken them by other means prior to using your own dictionary.


Note: You do not have to uppercase any of the foreign dictionaries



Now run John first using the provided dictionaries then your dictionary followed by your converted-to-uppercase dictionary


john --wordlist:nameOfDictionaryFile unshadowed



Any passwords left? If so, run John in incremental mode - this is the brute force option - for no more than a day


john --incremental unshadowed




Your grade will be based on:



Writing A Non-Technical Summary


Your non technical summary should use little-to-no technical terms. This can be difficult, but not impossible, to do when a technical event is involved. Here is an excerpt from the Washington Post about the Heartbleed SSL issue. Note that they do a fantastic job of explaining the technical issue with mostly every day, non-technical terms


Q: What is SSL?.

A: It stands for Secure Socket Layer. It is the technology for establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private. “Open” SSL simply means that the code is freely available.

It’s the “s” in “https” that is supposed to stand for “secure.” Unlike Web sites that begin with “http,” “https” sites have a lock in browser address bars.

“That lock is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher,” explains Vox’s Timothy Lee. “If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.”