In class, Oct 12
Recall our password-cracking exercise from Wednesday. The passwords were all either a single lowercase word or a pair of lowercase words concatenated together, where words were randomly selected from this file of words.
Your goal was not just to find all the passwords corresponding to the hashes stored in Wednesday's password file, but also to time your cracking. You want to estimate how many (username, password) candidates you can try per second.
(WARNING: The following hashing technique is designed to introduce you to the basic idea of salted passwords. However, the technique and salt sizes used here are not ready for prime-time. There are a couple more steps we need to take before we're getting close to best practice for password storage.)
Today's password hashes look like this:
In the hash field, we have an 8-digit hexadecimal number known as "salt", then a dollar sign, and then the hash of the salt (which is just a string of hexadecimal digits) concatenated with the password. As before, the "jondich" password is "moose", so you can use that to check your hash computation code. Also, as before, the hash function we're using is MD5.
Here's today's password file.
Again:
By what factor has your password-checking slowed down? Why?
Have fun!