[uochris]

According to the keychain password analyzer, what is the score of your current OS X password?

1. Open the Keychain Access utility.
2. Select Edit > Change Password for Keychain...
3. Click the "i" button to open the Password Assistant.
4. Test your passwords in the "New Password" field. You don't need to change your password to test new ones.

http://www.macosxhints.com/article.p...31026012223557

http://www.macosxhints.com/article.p...40920120520528

[Love Calm Quiet]

Wow, that analyzer is pretty wicked - nice, dynamic response as you type along with a new candidate for a password...

But is sure requires a mess of different letters and number to get a rating above 60% (let alone 80%).

[dreilly1]

I don't have to test my password -- I know it's unbreakable.
It's the same password that I have on my luggage.

[yukon]

Well, I should try my passwords in there....I haven't used keychain partly because I distrust the whole "One password unlocks the rest" idea, but mainly because my non-admin user password is terrible anyway ;-)

I'll say almost all of my passwords are horrible here, maybe it'll spur me on to create better passwords....I've been cracking them all week as it is, defeating encryption on some old archives (my own, not to worry, just exploring the tools and getting some of my old files back as a bonus), and found that even 9 letter passwords are crackable within a week on a year old PC when it's all lowercase letters. I've been researching methods of making decent passwords and obfuscating them better, but I still haven't thought of a decent method to make up base passwords that aren't random characters or mentioned on the second link....any ideas?

edit: 19, 37, 55, 23, 36, 48, and a few others. One I just made up that i could remember is 210, but there's no way to modify it to make new passwords out of it. A second one got 270, but is "too simplistic or systematic" since it was an actual sentance. Hopefully whatever I make up will be >100 , and hopefully no one installed a keylogger on my system ;-D

[someone_else]

My login pass is 36.2, while my PGP phrase is 130.6.

[mdc]

Originally posted by dreilly1:
I don't have to test my password -- I know it's unbreakable.
It's the same password that I have on my luggage.

12345?


my password currently is a 36. i just created a 62 for myself.

[rjenkinson]

Originally posted by dreilly1:
I don't have to test my password -- I know it's unbreakable.
It's the same password that I have on my luggage.

"fragile"?

-r.

[Webscreamer]

31.1.... mine is too short my life has been ruined....

[[APi]TheMan]

51.7. I agree, cool keychain assistant. Cool thread.

[DigitalEl]

Nice discovery.

I know my password is horrible. I've used it too long and for too many different things. It'll probably take getting burned for me to change it.

Then again, seeing this thread might do the trick, too. It's time.

[Turnpike]

Originally posted by DigitalEl:
Nice discovery.

I know my password is horrible. I've used it too long and for too many different things. It'll probably take getting burned for me to change it.

Then again, seeing this thread might do the trick, too. It's time.

same here

cool find.

[Angus_D]

82.7 (it's a random 16 character alphanumeric string

[PER3]

"My login pass is 36.2, while my PGP phrase is 130.6." gives 376.9

"passwordpasswordpassword1" gives 129.2

[Love Calm Quiet]

hmmmmmmmm...

Thanks for that last one, PER.

That casts some doubt on the assistant's algorithm - aren't most encryption-breaking processes going to pick through such repetitions quickly?

[Angus_D]

Originally posted by Love Calm Quiet:
hmmmmmmmm...

Thanks for that last one, PER.

That casts some doubt on the assistant's algorithm - aren't most encryption-breaking processes going to pick through such repetitions quickly?

Actually, "�asdf�����������������������������" rates pretty highly, too.

[bradoesch]

31. That tool is pretty neat.

While we're here, does anybody want to tell me how to stop the password prompt from appearing every reboot? I've searched here and can't find the answer. I've also buggered around in Keychain Access and can't figure it out.

[mdc]

password prompt every reboot? are you talking about the login screen?
if so, system preferences > accounts > login options > automatically login as:

if not, i apologize, and i have no idea which password prompt you are talking about. i don't get any. my keychain opens sans password.

[dtriska]

If your login password is different from your keychain password, you'll need to unlock your keychain manually each time you login, and hence the password dialogue.

[uochris]

The best way to check your password is with John The Ripper or some such brute force password cracking utility. What I thought was a pretty good password took John The Ripper about 35 minutes to crack and then Lepton's Crack finished the job in another 2 seconds. You'll quickly find that if someone has access to your computer, cracking the NTLM hash won't take too long. Because the NTLM hash is really two separate seven character passwords, your 10 character password is only one seven character password and one three character password. An eight character password is stored as one seven character password and one one character password. Take a look at these threads for instructions. I've only used John The Ripper and Lepton's Crack which were compiled from the source but I believe there are GUI versions of JTR available. The following links should get you started.

http://www.openwall.com/john/ -John The Ripper. Look towards the bottom for an OS X specific installer.

http://usuarios.lycos.es/reinob/ -Lepton's Crack. I had to redownload the Xcode 1.5 installer and custom install gcc 2.95.2. I then had to sudo gcc_select 2 in order to get lcrack to compile properly. Note that you don't perform an install. Just configure and make. Copy the lcrack app where you want it to go. In my case /usr/local/bin

http://freaky.staticusers.net/ugboar...834&highlight=

http://freaky.staticusers.net/ugboar...026&highlight=

http://freaky.staticusers.net/ugboar...336&highlight=

http://freaky.staticusers.net/ugboar...ic.php?t=10847

If you are cracking hashes from 10.3, this script will make using JTR and lcrack much easier. Just run the script on the hash and it will place the NTLM and SHA1 hashes in the proper format for each cracking app.

#!/bin/bash
# ExtractHash 1.0

if [ ! $# = 1 ]; then
echo "Usage:"
echo "./ExtractHash name_of_hash_file"
exit
fi

echo

the_file=`basename "${1}"`

H=`cat "${1}"`
echo "Username:"${H:0:32}:${H:32:32}:"Filename (possibly the GUID) "$the_file >> passwdNT4
echo "Username:"${H:64:40}:"Filename (possibly the GUID) "$the_file >> passwdSHA1

echo "File: passwdNT4"
sort -us passwdNT4
echo
echo "File: passwdSHA1"
sort -us passwdSHA1


Once you have the NTLM version cracked, unless it's all caps, you'll need to crack the SHA1 password to see what is upper and what is lower case. No problem, use Lepton's Crack with regex that matches the NTLM and you'll have it cracked in seconds.

lcrack -m sha1 -xb+ -s 'a-zA-Z0-9!-/' -g '[Pp][Aa][Ss][Ss]#1' -l 6 sha1

In this example the password from john was PASS#1. Here's the breakdown. -m Mode is sha1. xb+ Turns on the brute force mode, the + means to turn it on. -s is the character set to use. For example -s 'a-zA-Z0-9!-/' will try all the possible letters, numbers, and symbols in upper and lower case. -g '[Pp][Aa][Ss][Ss]#1' is a regex flag so it knows what to try and match. In this example, since we know what the password is but not the case of the letters, try each letter in upper and lower case. -l 6 is the length of the password, in this case 6 characters. sha1 is the name of the text file containing the username:hash combo to crack.

alpha = a-zA-Z
alpha-numeric = a-zA-Z0-9
alpha-numeric-symbol14 = a-zA-Z0-9!-/
alpha-space = a-zA-Z\x20
printable = \x20-~
all = \x00-\xff


If you're having problems, check the links provided earlier in the post.

[Angus_D]

Originally posted by uochris:
You'll quickly find that if someone has access to your computer, cracking the NTLM hash won't take too long.

I don't use Microsoft Windows NT LAN Manager for my authentication, and in fact I doubt practically anyone else here does.

[angelmb]

Originally posted by dreilly1:
I don't have to test my password -- I know it's unbreakable.
It's the same password that I have on my luggage.

He says it clearly, his pass is "unbreakable"

[EdipisReks]

i just changed my password. it now ranks 108.6. a nice upgrade from 26.1. of course, what does it even matter? afterall, anyone with a Panther install disk can change the password.

[leperkuhn]

Originally posted by EdipisReks:
i just changed my password. it now ranks 108.6. a nice upgrade from 26.1. of course, what does it even matter? afterall, anyone with a Panther install disk can change the password.

unless you password protect the open firmware.

[MindFad]

I got a 46.5. Meh, I'll stick with it.

[bradoesch]

Originally posted by mdc:
password prompt every reboot? are you talking about the login screen?
if so, system preferences > accounts > login options > automatically login as:

if not, i apologize, and i have no idea which password prompt you are talking about. i don't get any. my keychain opens sans password.

Originally posted by dtriska:
If your login password is different from your keychain password, you'll need to unlock your keychain manually each time you login, and hence the password dialogue.

I'm using automatic login, but once my desktop appears there's a dialog box asking for my password. My login password and keychain password are the same. I can't quite remember which password it asks for. I'm sure it's the keychain, because Mail won't check for messages until I enter the password.

[ManOfSteal]

41.4 and it's NOT changing anytime soon.

[Mediaman_12]

Originally posted by manofsteal:
41.4 and it's NOT changing anytime soon.

Odd, mine got that two. and since it's a short number string and a word that is no longer connected with me in any way. I am also sticking.

[bma_mat99]

no joke, my password score is 111.8. Its quite a complex password...

[:haripu:]

my normal password is 43. My other - ultra-high security password - is 192(!). It's just that I have almost never found anything interesting enough to encrypt it so secure.

[Krusty]

Originally posted by manofsteal:
41.4 and it's NOT changing anytime soon.

Yes, but if you have "Check for Rickey Henderson based passwords" checked ON, it will drop to 5.6

[cszar2001]

Lower is better right?
My score is too low to post here.

[Powaqqatsi]

I got 9.1 meh who cares. I'm not changing it, I already need to remember too much PIN's and passwords.

[cybergoober]

55 here.

[dtriska]

Originally posted by bradoesch:
I'm using automatic login, but once my desktop appears there's a dialog box asking for my password. My login password and keychain password are the same. I can't quite remember which password it asks for. I'm sure it's the keychain, because Mail won't check for messages until I enter the password.

It's possible your keychain is damaged: http://docs.info.apple.com/article.html?artnum=151548

[thePurpleGiant]

Mine is 44% which I think is a joke. It has uppercase letters, lowercase letters, numbers and punctuation right through it. I can't see how that is no better than passwordpasswordpassword1.

[Turnpike]

Originally posted by Mediaman_12:
it's a short number string and a word

is there an underscore between the short number string and the word, Mediaman_12?

[JHromadka]

53.6

[york28]

71.5.

But an real cracking attempt would probably use a list of common English words as a dictionary for generating passwords, which the keychain app doesn't take into account. PER mentioned this I believe.

[SteevAK]

41.4 here as well.

[qnxde]

Originally posted by [APi]TheMan:
51.7. I agree, cool keychain assistant. Cool thread.

****, mine also got 51.7 - I wonder if we have the same password

[chris v]

abc123 has worked for me all these years, why change it now?

I'm actually ony a 31, becuase of a "dictionary-based word" despite the fact that there's a random number along with that word. You've got to get into waaaay too many characters for me to remember before the thing gets to 100.

[JKT]

Originally posted by chris v:
abc123 has worked for me all these years, why change it now?

I'm actually ony a 31, becuase of a "dictionary-based word" despite the fact that there's a random number along with that word. You've got to get into waaaay too many characters for me to remember before the thing gets to 100.

Read the second of the MacOS X hints linked in the original post to find out why that is a lie. It is exceedingly easy to generate long but easy to remember passwords.

As I authored the hint, don't be surprised that the lowest I score is around 93 and that many of my passwords score (far) better.

[E's Lil Theorem]

46.5

Good enough I say.

[iREZ]

56.9, not too shabby I guess.

[wulf]

62. Considering most people round here have their passwords stuck on the front of their monitors, I think that's not too bad.

[entrox]

The ultra-secret Spathi Cypher, which is known only by me and several billion other Spathi is `Huffi-Muffi-Guffi'.

Interestingly, it rates at a solid 109.0!

[voyageur]

Originally posted by Webscreamer:
31.1.... mine is too short my life has been ruined....

mine also...and here I thought it was pretty decent.

Neat trick. Thanks for posting it.

[Cadaver]

41.something, though mine's an essentially random 6-character alphanumeric string with both upper and lowercase. Seems like a low score to me.

[dampeoples]

Mine's a 31 and staying put, like another uy said, I have too many to remember as it is now.

[JKT]

Bump, given the justifiable "scare" surrounding the Opener script and what it has the potential to do if you were to stupidly install it...

All of you with a password scoring a derisory 40 or less should perhaps think again about that decision. Just how long would it take John the Ripper to crack it? It is exceedingly easy to generate long, hard to crack but simple to remember passwords. Do yourself a favour and think about doing so now.