During the March 18th, 2014, Networks lecture (CS3C03/SE4C03), I posed the challenge of cracking the password corresponding to the following command:
htpasswd -bnm netsec2014 <password>
Note several things about this line:
- apr1 means the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password; you can find more about it here: Apache Password Formats.
- tWaYGBoQ (i.e., the string between the second and third $‘s) is the salt; a 32 bit binary value encoded in Base64. This salt is randomly generated each time the htpasswd command is invoked, and hence, each time htpasswd is invoked it yields a different output, even though it is invoked on the same login/password pair.
- v1osblq2UdOs0rNURdUhW0, (i.e., the string following the last $) is the actual hash.
How can you check whether a particular password works? You can do so with the command:
openssl passwd -apr1 -salt tWaYGBoQ <password>
As of March 19, 9am, no one was able to break this password. I expect this to be very difficult. On the other hand, the first challenge was successfully cracked by Adam Brousseau: the crypt password corresponding to seed 3z and hash f2laisA/GQ6 is abracadabra, and since only the first 8 characters count, abracada. Adam used open source C code John The Ripper on his own Linux machine, with processor AMD 4 core 3.4GHz (Single core used; Phenom II X4 965 BE). The crack took 23 minutes 10 seconds.