Identity and Data Theft: Bypassing the Passwords using John the Ripper

Authors

  • Mayank Kumar
  • E. Prajwal
  • N. Narayana Reddy
  • P. Haneef
  • Abirami A

Keywords:

Brute force attack, Cybersecurity, Dictionary attack, Ethical hacking, Multi-factor authentication, Password cracking, Password security

Abstract

Despite having been around for decades, user-created passwords continue to be one of the most common methods of blocking unauthorized users from obtaining access to sensitive data or systems on the Internet. The rapid increase in the number of cyberattacks has revealed the serious shortcomings of using user-created passwords as an access control mechanism. Specifically, user-created passwords have security flaws when they are not strong enough, are too predictable, or are too easy to guess. To understand password security in a more systematic way, they analyze password cracking using John the Ripper (JtR), an open-source password auditing and recovery tool that is widely available online. The purpose of this research is to explore various password-cracking methods (i.e., dictionary, rule-based, hybrid, and brute-force). The study was conducted in a controlled laboratory environment using the Kali Linux operating system. The research tested groups of passwords for their hashed encrypted security using varying methods of attack in order to relate to how passwords are typically cracked in real life. The research used a well-known rockyou.txt wordlist to identify common user passwords for deciphering their hashed values through a dictionary-based attack. Overall, the results indicate that a large percentage of weak, frequently used passwords can be successfully cracked using dictionary attack techniques in a relatively short time. Although brute force attacks consumed a lot of processing power, they did yield success against all short passwords tried using this attack method. Ultimately, rule-based techniques greatly increased the efficiency of cracking by allowing for variations of commonly used password formats. As shown in the results of this research, it is essential to have robust password policies in place, to increase the complexity of passwords, and to implement multi-factor authentication in order to enhance security. The research also highlights the need to ethically use password cracking tools by limiting their use to authorized and educational environments, and for the purposes of security testing only. In conclusion, this research raises awareness about the vulnerability of passwords and encourages greater adoption of good cybersecurity practices.

References

D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, Nov. 2017.

M. Dell’Amico and M. Filippone, “Monte Carlo strength evaluation: Fast and reliable password checking,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, pp. 158–169, Oct. 2015.

J. Ma, W. Yang, M. Luo, and N. Li, “A study of probabilistic password models,” In Proceedings of the 2014 IEEE Symposium on Security and Privacy, San Jose, CA, USA, pp. 689–704, May 2014.

R. Veras, C. Collins, and J. Thorpe, “On semantic patterns of passwords and their security impact,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, pp. 1-16, 2014.

R. Morris and K. Thompson, “Password security: A case history,” Communications of the ACM, vol. 22, no. 11, pp. 594–597, Nov. 1979.

D. Florêncio and C. Herley, “A large-scale study of web password habits,” In Proceedings of the 16th International Conference on World Wide Web, Banff, AB, Canada, pp. 657 – 666, May 2007.

A. Narayanan and V. Shmatikov, “Fast dictionary attacks on passwords using time-space tradeoff,” in Proceedings of the 12th ACM Conference on Computer and Communications Security, USA, pp. 364–372, Nov. 2005.

R. Shay et al., “Can long passwords be secure and usable,” In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Toronto, ON, Canada, pp. 2927–2936, Apr. 2014.

J. Bonneau, “The science of guessing: Analyzing an anonymized corpus of 70 million passwords,” In Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, pp. 538–552, May 2012.

P. G. Kelley et al., “Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms,” In Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, pp. 523–537, May 2012.

M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek, “Password cracking using probabilistic context-free grammars,” In Proceedings of the 2009 IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 391–405, May 2009.

C. Herley and D. Florêncio, “Protecting Financial Institutions from Brute-Force Attacks,” Proceedings of the IFIP TC 11 23rd International Information Security Conference, vol. 278, pp. 681–685, 2008.

W. Melicher et al., “Fast, lean, and accurate: Modeling password guessability using neural networks,” in Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, pp. 175–191, Aug. 2016.

P. A. Grassi, M. E. Garcia, and J. L. Fenton, Digital Identity Guidelines, NIST Special Publication 800-63-3, Jun. 2017.

A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, “The tangled web of password reuse,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, pp. 1-15, Feb. 2014.

B. Ur et al., “How does the password measure up? The effect of strength meters on password creation,” in Proceedings of the 21st USENIX Security Symposium (USENIX Security 12), Bellevue, WA, USA, pp. 65–80, Aug. 2012.

Published

2026-06-01