Coding Challenge #49 - Password Cracker

This challenge is to build your own version of John the Ripper or CrackStation. These are password cracking tools that can be used to recover passwords, by penetration testers and of course bad guys.

We’re going to take a look at them because they provide an interesting way of learning several different things - you can pick and choose where you focus from the list:

1. How to implement ****cryptographic hash functions - you can build these by hand if learning how to code them interests you, otherwise you can use the ones available for your programming language.
2. How and why certain approaches to storing passwords are insecure so you have a better understanding of how to build a secure system and to securely store passwords for the systems that you develop.
3. How to build and optimise a computationally expensive piece of software.

If You Enjoy Coding Challenges Here Are Four Ways You Can Help Support It

1. Refer a friend or colleague to the newsletter. ??
2. Sign up for a paid subscription - think of it as buying me a coffee ?? twice a month, with the bonus that you also get 20% off any of my courses.
3. Buy one of my courses that walk you through a Coding Challenge.
4. If you work for a company that sells to software engineers, encourage them to sponsor the newsletter. ??

The Challenge - Building A Password Cracker

Ever since we’ve been building multi-user systems there’s been a need to identify and authenticate users. That started off with usernames and passwords stored in plaintext (unencrypted), which wasn’t very secure and meant that anyone with access to the password data could read everyone’s passwords.

Pretty soon we moved to using hashing functions to obscure the plaintext passwords. When a user provided their password it would be hashed and the hash value stored. When a user logged on, the password they entered would be hashed and the generated hash compared to the stored hash, if they match the user is authenticated. This was an improvement. Most of the hashing functions are secure - impossible to reverse to get the password from the hash - but there is another problem.

As the number of users grew, we started to see a problem created by us, the users. The problem is we tended to pick similar passwords and often many of us used the same password. For example for many years the most common passwords have been: 123456, password, 123456789, qwerty, 111111, 123123 and other similar words and patterns.

Attackers therefore realised they didn’t need to decrypt the hashes, they could instead try common passwords and lists of words from the dictionary, run those through a hash function and when the hashes match they had the password. At the same time computers because faster and cheaper so it also became possible to brute force passwords hashing every permutation of letters and numbers possible - up to a certain length. At least this was possible with early hash functions that were quick and cheap to compute.

As a result more complex hashes were adopted and we began to push for longer passwords that included varying case, numbers and symbols. To combat this attaches started using rainbow tables. Rainbow tables are pre-computed tables of common words, phrases and passwords along with their hash. Now cracking is simply a cases of looking up the hash to see if it’s in the table. To counter this new algorithms are used along with a technique known as salting.

In this challenge we’re going to build a password cracker that uses some of these techniques.

Step Zero

In many programming languages we index arrays from zero onwards. Coding Challenges is the same, we start with Step 0. It’s the step where you setup your IDE / editor of choice and programming language of choice.

Depending on whether you’re going to aim for more of a John the Ripper or a CrackStation you might pick a stack like C, C++, Rust or Go versus a stack like PHP, Python or JavaScript. The choice is yours!

Step 1

In this step your goal is to implement the MD5 hash function. By doing so you will have an awareness of how password hashes are generated. Wikipedia has an explanation of the MD5 algorithm.

You can test your implementation against the implementation in your programming languages standard library. In the event that it doesn’t have support you can compare to this Python that you could run locally or on one of the online IDEs.

from hashlib import md5

print(md5(b'password').hexdigest())
        

Continued...

You can find Step 2 and beyond on the Coding Challenges website as build your own Password Cracker.

Or if you'd rather get the whole challenge delivered to you inbox every week, you can subscribe on the Coding Challenges Substack.