John the Ripper doesn’t crack passwords when I use wordlists

Title says it all, I can’t tell if John is just crashing or “gives up” on cracking the hash. First I start off by creating an md5 hash out of a word I KNOW is on the rockyou.txt wordlist:

echo -n 'password' | md5sum > testhash 

After removing the hyphen at the end of the test hash file:

5f4dcc3b5aa765d61d8327deb882cf99 

Now I attempt to crack the md5 hash using the following John the Ripper command:

john --format=raw-md5 --wordlist= /usr/share/wordlists/rockyou.txt testhash 

I get the output:

Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8*3]) No password hashes left to crack (see FAQ) 

Then I run:

john --show testhash 

Which outputs:

0 password hashes cracked, 2 left 

Sorry if I’m doing something terribly wrong, but I’m at a loss here. I’m assuming it’s something wrong with how my installation of John on Kali Linux is handling the wordlist. Thank you in advance!

Which is better practice: digital password manager or a physical book of passwords? [duplicate]

These days, it’s not uncommon to have dozens and dozens of passwords for various sites and services. If you’re using different passwords for each service it can be basically impossible to hold all the passwords in your memory.

Some people keep a book with their passwords written down, and are occasionally mocked for doing so because if the book is lost or stolen, so are their accounts.

Others keep a digital password manager. These passwords aren’t hashed: a user can log in and see all their saved passwords.

The best solution (assuming we’re only using passwords) is to have unique, strong passwords memorized for each service, but that is implausible for the typical person and the volume of passwords someone needs.

Which of the following is the current best practice for a high number of passwords? Consider that the user needs to access these accounts from potentially several computers.

  1. Use a handful of passwords that you can remember and have several services share a password. (For example, three unique passwords over twelve services)

  2. Use a digital storage mechanism for storing passwords that can be accessed on logging in

  3. Keep a physical book of written passwords. Obviously it can’t be stolen digitally, but can be physically stolen or misplaced, and recovering from a lost book is very hard.

I’m assuming the person in question is keeping everyday information important to them (email, bank account password, so on) but not necessarily being specifically targeted by someone with resources. Any of these practices will probably fail against someone staging a coordinated attack.

How did Microsoft discover 44 million user passwords were breached? [closed]

In December 2019, tons of new sites reported Microsoft ran a security research that found out over 44 million of user passwords were breached. The news sites said Microsoft used third-party resources and public databases in order to discover this, and forced all these users to change their passwords (which is nice!), but I still don’t get it.

If the password is properly hashed, how did they manage to look them up on these databases? I’m not a security expert or anything, but the only possibility I could come up on my mind was to hash the passwords on these public databases and compare with the users’ hashed passwords, but that sounds absurd considering salt (they would have to hash every leaked password to every account, right?). Does anyone understand how they did that?

EDIT: @schroeder’s comment and closing the question doesn’t make sense. The question is valid – how could they check so many password to so many accounts, if that’s how they did it.

Recovering local chrome passwords from dead pc [migrated]

recently my PC died and will not power on. The motherboard had a complete failure. My HDD survived. I have it set up as an external to pull my photos and such. My question comes down to transferring the local passwords I had stored on chrome. I didn’t have a google account sync. But the profiles are still accessible on the old HDD. I want to view my passwords or at least transfer them to my new pc. The older HDD belonged to a win 8.1 pc. I pulled up the Login data sqlite file but when I view it in sql server it says the password value is stored in a blob. Any advice on recovering them would be helpful,a majority of my lifes on there.

Store passwords local with plain text access on WinPE

I have an application that needs to store Network Credentials for a Network Drive/Share on the disk. The user shouldn’t need to enter the password every time. The OS is WinPE, so he cannot map the drive once and it will stay there.

Limitation:

  • I need the password in plain text, to map the drive.
  • The program should work without an additional password that the user has to enter.

Thoughts:

  • Hash + Salt is not reversible, so I cannot get the password in plain text.
  • An encrypted password is not safe, because the program has to store the key. If someone looks inside the code he will get the key and decrypt the password.
  • I cannot use the “Protect Data” interface of windows, because I use WinPE. Protect Data Documentation

The program is written in C#. Maybe someone has a good idea about my problem. Thanks!

Could you store your passwords in a phone app governed by a QR code?

I had an idea a little while back to have an ID card with a QR code on it that you kept in your wallet. When you want to access your passwords (view them directly), you need your ID card and to scan it with your password protected iPhone. This then reveals your desired passwords.

But I’m thinking about it more and it doesn’t seem to offer any extra “security” or protection of your passwords. You have your phone password memorized, so that’s secure. Once you get into your phone and open the customized QR reading password app, you could just have direct access to your passwords right there instead of having the QR code layer. But, say we add the QR code step, of scanning the QR code to get access. Maybe it only works on your phone. So you have your phone password and a QR code protecting your password.

Does something like this offer any extra security? I’m thinking along the lines of n-factor auth and having an actual physical ID card in the mix.

Is having multiple correct passwords for a single username a security problem?

This question occurred to me when using online banking. My wife and I have a joint account. The username to login to internet banking is just our account number, so it is the same for both of us. Nevertheless the bank supplied us with 2 distinct passwords.

If the passwords where only given out by the bank and we would log into the same account this would probably be fine.

But first the bank actually forces us to each choose our own new password. In theory I could choose the same password as my wife and then the system would tell me ‘you can’t use this password because it is already taken’ or something like that so I would have guessed my wifes password. Seems securitywise very shady.

Secondly although we access the same money in the bank account we don’t have the exact same user account in the bank as for some actions the identity of the user is needed (for example ‘please send a new credit card’, should it be for me or for my wife?). The situation of one username combined with one password accesses one user account, the same username with another password accesses a different user account looks to me like a severe breach of security.

Is this actually fine or is the bank using some very sloppy and potentially unsafe programming for their joint accounts?

How are short passwords not safe on the web?

On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more.

The reason being higher security.

But the same services limit the number of login attempts to 3-4 tries before locking your account and asking for more info. Something which I find very annoying, but that’s another topic.

So how is a short password insecure if they limit log in attempts ? If the pw has 5 characters someone can not try all combinations in just 3 attempts.