C program to crack passwords

I have implemented a program in C to crack passwords by generating all possible combinations of words ([A-Z][a-z]) up to the length of 5. While the program works, I would like to receive comments on the efficiency of the algorithm and other design decisions that would improve the code. The exercise is part of the course CS50 by Harvard.

I timed the program using unix’s time and the time the program took to print all the combinations was real 14m39.433s; user 0m10.040s; sys 0m36.356s.

CS50.h is a library developed for the course as training wheels for students. String (char*) and Bool are types defined in this library.

#define _XOPEN_SOURCE #include <stdio.h> #include <string.h> #include <unistd.h> #include <cs50.h>  int main(int argc, char *argv[]) {     if(argc != 2)     {         printf("Usage: ./crack hash\n");         return 1;     }      string alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";     char password[6] = "";     string hash = argv[1];     char salt[3];     memcpy(salt, hash, 2);     salt[2] = '';      bool flag = false;     int alphabet_len = 52;      for(int i = 0; i < alphabet_len; i++)     {         password[0] = alphabet[i];         password[1] = password[2] = password[3] = password[4] = '';         if(!strcmp(hash, crypt(password, salt)))         {             flag = true;             break;         }         for(int j = 0; j < alphabet_len; j++)         {             password[1] = alphabet[j];             password[2] = password[3] = password[4] = '';             if(!strcmp(hash, crypt(password, salt)))             {                 flag = true;                 break;             }             for(int k = 0; k < alphabet_len; k++)             {                 password[2] = alphabet[k];                 password[3] = password[4] = '';                 if(!strcmp(hash, crypt(password, salt)))                 {                     flag = true;                     break;                 }                 for(int l = 0; l < alphabet_len; l++)                 {                     password[3] = alphabet[l];                     password[4] = '';                     if(!strcmp(hash, crypt(password, salt)))                     {                         flag = true;                         break;                     }                     for(int m = 0; m < alphabet_len; m++)                     {                         password[4] = alphabet[m];                         if(!strcmp(hash, crypt(password, salt)))                         {                             flag = true;                             break;                         }                     }                     if(flag)                         break;                 }                 if(flag)                     break;             }             if(flag)                 break;         }         if(flag)             break;     }      if(flag)         printf("Password: %s\n", password);     else         printf("Password not found\n"); } 

Does Chrome’s password manager store plaintext passwords in their databases?

Chrome’s password manager allows for users to view their saved passwords on passwords.google.com. The saved passwords can be viewed on different devices as long as the user logs into their Google account. So, these passwords must be stored in a Google database. Is it known as to whether the passwords are encrypted in this database, so that Google wouldn’t be able to know what your account passwords are?

Kickstart, universal install script and default passwords

I’d like to make an universal automated install script using Kickstart, which would be placed on a CD and used in conjunction with standard DVD installer, i.e. the user of this script would need to append inst.ks=cdrom to boot options and then it’d install e.g. Fedora on the machine asking only for passwords.

It seems that standard practice is to generate Kickstart scripts with passwords (or password hashes) in them, which doesn’t seem ideal if you intend to distribute the script to third parties. I also want to enable sshd service in the Kickstart script, which would make it possible for anyone on LAN with knowledge of default passwords to log in into the machine. Of course I can just disable password authentication in sshd but now it’s getting messy, i.e. I’m trying to workaround public knowledge of default passwords (and I may very well be forgetting something).

I’m new to Kickstart, I’d like to make the install script to ask/prompt/input for site-specific passwords, and so far I figured out two options:

  1. Ask for passwords in %pre section and then generate e.g. accounts.ks with rootpw and user commands which will be included from main command section.
  2. Use static default passwords and run interactive script on first boot that’ll force user to change default passwords. (Or possibly use chage in %post.)

My worry is that, based on my Google searches, no one is doing that, no one is even asking for that. 🙂 Everyone seem to be placing final passwords/hashes directly into Kickstart scripts. So this leaves me with making my own interactive script for both options, which, I fear, will end up bad. Or perhaps, I’m getting the whole concept of (semi-) automated installs with Kickstart wrong.

What is the standard practice for creating universal Kickstart scripts for scenarios like this, where you need to distribute the script and not force users to edit it?

How to crack a list of hashed passwords given their possibilities

I am trying to crack a number of passwords that have been hashed using SHA-256 using some java code.

I have the hashes available and I also have the possibilities in which the password can be. Some of these possibilities include,

possibilities

So for example I have hash

9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08

and I want to get the password using an algorithm (one which I will code in Java) to get the password:

test

Is the only possible way I can do this is to calculate the hashes for all of the possibilities and then compare them with the hashes that I have?