For this project you will configure the Nbvcxz password strength utility
Learning outcomes
- Planning and design.
- VMware guest modifications.
- Modifying application software.
- Use of GitHub to acquire software.
- Use maven build environment.
- Understanding password entropy.
Overview
Determining the strength of passwords can be difficult. There are many metering tools available and these should be used to determine overall strength. However, meters are only as good as the terms under which they were built.
Enter ZXCVBN. There is an online tool that demonstrates what a good meter should provide. Begin by trying out the meter and see for yourself.
NBVCXZ
The NBVCXZ project is a Java version of this tool. In addition, it can help to provide randomized passwords that meet or exceed complexity requirements.
On your Ubuntu VM, install the following software as root:
apt-get install git openjdk-8-jdk maven
Once the software is installed, as the non-privileged user, we can then clone the NBVCXZ repository to the local VM and build the software.
git clone https://github.com/GoSimpleLLC/nbvcxz.git cd nbvcxz mvn package
This may take a significant amount of time to build. Any errors should be reported to your instructor for resolution.
Testing
Now that the software is built, it is very easy to run.
cd target java -jar nbvcxz-1.4.3.jar
The program will look something like this:
student@test:~/nbvcxz/target$ java -jar nbvcxz-1.4.3.jar Commands: estimate password (e); generate password (g); quit (q) Please enter your command: e Please enter the password to estimate: Passw0rd! ---------------------------------------------------------- Time to calculate: 307 ms Password: Passw0rd! Entropy: 13.004922678569045 Your password does not meet the minimum strength requirement. Warning: This is a very common password. Suggestion: Add another word or two. Uncommon words are better. Suggestion: Capitalization doesn't help very much. Time to crack: ONLINE_THROTTLED: 1 hours Time to crack: ONLINE_UNTHROTTLED: 1 minutes Time to crack: OFFLINE_BCRYPT_14: 31 seconds Time to crack: OFFLINE_BCRYPT_12: 7 seconds Time to crack: OFFLINE_BCRYPT_10: 1 seconds Time to crack: OFFLINE_BCRYPT_5: instant Time to crack: OFFLINE_SHA512: instant Time to crack: OFFLINE_SHA1: instant Time to crack: OFFLINE_MD5: instant ----------------------------------- Match Type: DictionaryMatch Entropy: 9.682994583681683 Token: Passw0rd Start Index: 0 End Index: 7 Length: 8 Dictionary: passwords Dictionary Value: passw0rd Rank: 411 Length: 8 Leet Substitutions: false Reversed: false Distance: 0 ----------------------------------- Match Type: SeparatorMatch Entropy: 3.3219280948873626 Token: ! Start Index: 8 End Index: 8 Length: 1 ---------------------------------------------------------- Commands: estimate password (e); generate password (g); quit (q) Please enter your command: g What type of password would you like to generate? Random (r), Passphrase (p): p What delimiter would you like to use: - How many words would you like your passphrase to be: 5 ---------------------------------------------------------- Password: caliber-unmanaged-nemeses-iciness-baking ---------------------------------------------------------- Commands: estimate password (e); generate password (g); quit (q) Please enter your command: e Please enter the password to estimate: caliber-unmanaged-nemeses-iciness-baking ---------------------------------------------------------- Time to calculate: 48 ms Password: caliber-unmanaged-nemeses-iciness-baking Entropy: 72.91177489757835 Your password meets the minimum strength requirement. Time to crack: ONLINE_THROTTLED: infinite (>100000 centuries) Time to crack: ONLINE_UNTHROTTLED: infinite (>100000 centuries) Time to crack: OFFLINE_BCRYPT_14: infinite (>100000 centuries) Time to crack: OFFLINE_BCRYPT_12: infinite (>100000 centuries) Time to crack: OFFLINE_BCRYPT_10: infinite (>100000 centuries) Time to crack: OFFLINE_BCRYPT_5: infinite (>100000 centuries) Time to crack: OFFLINE_SHA512: 264 centuries Time to crack: OFFLINE_SHA1: 33 centuries Time to crack: OFFLINE_MD5: 11 centuries ----------------------------------- Match Type: DictionaryMatch Entropy: 11.92481250360578 Token: caliber Start Index: 0 End Index: 6 Length: 7 Dictionary: eff_large Dictionary Value: caliber Rank: 3888 Length: 7 Leet Substitutions: false Reversed: false Distance: 0 ----------------------------------- Match Type: SeparatorMatch Entropy: 3.3219280948873626 Token: - Start Index: 7 End Index: 7 Length: 1 ----------------------------------- Match Type: DictionaryMatch Entropy: 11.92481250360578 Token: unmanaged Start Index: 8 End Index: 16 Length: 9 Dictionary: eff_large Dictionary Value: unmanaged Rank: 3888 Length: 9 Leet Substitutions: false Reversed: false Distance: 0 ----------------------------------- Match Type: SeparatorMatch Entropy: 3.3219280948873626 Token: - Start Index: 17 End Index: 17 Length: 1 ----------------------------------- Match Type: DictionaryMatch Entropy: 11.92481250360578 Token: nemeses Start Index: 18 End Index: 24 Length: 7 Dictionary: eff_large Dictionary Value: nemeses Rank: 3888 Length: 7 Leet Substitutions: false Reversed: false Distance: 0 ----------------------------------- Match Type: SeparatorMatch Entropy: 3.3219280948873626 Token: - Start Index: 25 End Index: 25 Length: 1 ----------------------------------- Match Type: DictionaryMatch Entropy: 11.92481250360578 Token: iciness Start Index: 26 End Index: 32 Length: 7 Dictionary: eff_large Dictionary Value: iciness Rank: 3888 Length: 7 Leet Substitutions: false Reversed: false Distance: 0 ----------------------------------- Match Type: SeparatorMatch Entropy: 3.3219280948873626 Token: - Start Index: 33 End Index: 33 Length: 1 ----------------------------------- Match Type: DictionaryMatch Entropy: 11.92481250360578 Token: baking Start Index: 34 End Index: 39 Length: 6 Dictionary: eff_large Dictionary Value: baking Rank: 3888 Length: 6 Leet Substitutions: false Reversed: false Distance: 0 ---------------------------------------------------------- Commands: estimate password (e); generate password (g); quit (q) Please enter your command: q Thank you for using nbvcxz! student@test:~/nbvcxz/target$
Experiment with the online tool and the Java-based tool. Submit your thoughts on this tool and the web tool. How could you see this tool being used to educate users on better password selection?