Trying to crack a weak password using John

I have a computer from the 1990s. It has an (extent) EFS file-system which cannot be wrote to in linux, so i cannot reset the password manually. So i have to crack my password. For this I am trying to use John the ripper.

in a file me2, I have an entry from the original /etc/passwd file:

Some people from another thread suggested this might be a DES password.

So here, I am trying to crack this password, so I can get back into this computer.

sudo john me2
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: MaxLen = 13 is too large for the current hash type, reduced to 8

I see the warning, and I am wondering what that means.
I left John the ripper running for a few hours and came back. It seems like its still going… So I’m thinking something must not be right.

Asked By: j0h


This password is hashed with the traditional DES-based method. This method is not so broken that it allows directly finding the password from the hash. It requires brute force, i.e. calculating password hashes until you find the right one. This hash method is broken in that the hash calculation is relatively fast, and the password is limited to 8 characters (and the salt is too small, too). The John benchmarks go up to about 6 million per second per core.

For a majority of human-chosen password, 6 millions per second means a near-instant break. But if the password was chosen randomly among all possible passwords of 8 printable characters, there are about 6.7×1015 possible passwords, which means about 12800 days of cumulated CPU time.

You didn’t specify which of the many filesystems called EFS this is. With most filesystems, you can search the disk image for the file contents, as long as the file isn’t compressed or encrypted. Modifying a file without understanding the structure of the filesystem is unlikely to work, unless you change bytes in place and leave the file size unchanged. So, assuming the file isn’t compressed or encrypted, here’s what you can do:

  • Plug the disk into a computer running Linux or some other Unix variant.
  • Make a copy of the disk image. This is important: if you trip up, you could make the original unrecoverable.
  • Use binary tools to locate the contents of the passwd file in the disk image. See Find/replace on block device?
  • Replace root:8sh9JBUR0VYeQ: by a string of equal length that is the hash of a password that you know. You can use perl -le 'print crypt("swordfis", "aa")' to generate a password hash for swordfis.

Alternatively, the computer might offer a way to bypass the normal boot process if you have physical access.

Your root password is qwer134.

% /usr/sbin/john --show pwdfile 
lp:passwd1:9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
nuucp:NO PASSWORD:10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico

3 password hashes cracked, 0 left

It took john 2.5 days to find the root password and could easily have taken much longer. You can crypt the password to verify the hashes really match:

% perl -le 'print crypt("qwer134", "8s")' 
Answered By: casey
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.