experiments with dictionary attacks against password hashes, in Python

[Irmen de Jong]

Hi,

I've been experimenting a little with dictionary attacks against password hashes.

It turned out that Python is plenty fast for this task, if you use precomputed hash
databases. I used a few rather large dictionary files (most of the words of the English
language, and most of the words of the Dutch language including derived forms) for a
total of almost 600,000 precomputed hashes. With that the program can "crack" 10,000
password hashes in under a second on my 3 year old PC.

I've also used a list of 600 'most commonly used' passwords that I gathered from a few
sources. That list is used to generate a couple of variations, such as prefixing them
with a digit, or typing the word in uppercase, etc. I did this to be able to quickly
scan for the most common passwords, but it turned out that using all of the 600,000
precomputed hashes isn't much slower for the experiments that I did.
The variations however increase the hit rate because words like "Jennifer9" are not in a
normal dictionary file. This one however *is* part of the 'most common' list.
So if that is your password, go change it right now ;-)


I thought the code I wrote might interest other people as well, so I share it here:
(It should run on Python 2.6 and up, including Python 3.x.)

Download:
http://www.razorvine.net/download/dictionary_attack/

Or by Subversion:
svn://svn.razorvine.net/Various/PythonStuff/trunk/dictionaryattack


Have fun,
Irmen de Jong