Using hashing and salting to crack passwords

I first started by creating a program that creates a list of combinations using the

array that was provided on the file “CreatePwdFileRandom.java” in order to be able to

hash it using the same piece of code that was used to create the list of hashed passwords.

Using this approach I create a piece of code that I named “CreatePwdFileRandom2.java”.

I wrote a static method that writes a combination of chars. This method only

writes up to two char combinations because I wanted to prove that the program is able to

crack hashed passwords. This method is later called in the main method to hash the list of

passwords. In order to print the list of chars, I used a for loop that transverse the array in

order to print it on the text file. I used the same methodology to print the two char

combination.

In order to compare the two lists of hash passwords, I wrote another piece code

that basically takes the list of ten passwords found on the text file named

“hashedRandomPwd.txt”. I named this program “compareHashList.java”. The approach I

took to compare the two lists was very simple. I fist create a static method that reads the

ten hashed passwords, used a string tokenizer to separate the tokens and store them in a

array of objects named “usernames”. I decided to use this approach because it makes it

easy to retrieve the owner of the password. I used a while loop that transverse the array.

Inside of the while loop I used a for loop that transverse the combination of hashed

passwords. I used a compareTo that retrieves a 0 if the two-hashed passwords were the

same. If the comparison is true, the if statement prints the username and the password of

the account. Here is a snapshoot that proves that the program “compareHashList.java”

was able to crack the list of hashed passwords.

The other way to encrypt a password is by including a random combination of

characters that is encrypted in combination. This technique is called salting because it

incudes a salt to hash password. This technique does not make an encrypted password

uncrack able. It is a technique that is used to make a password more time consuming to

crack.

The second list of passwords was encrypted using this technique. Because we

have to combine every salt to each password we are going to try, it will make the list of

password ten times bigger. This time we have to use a U.S. dictionary word list in order

to create the list of encrypted passwords.

In order to create the file where the salted hashed passwords were going to be

stored. I created a piece of code that reads an U.S. word dictionary file. I named this

piece of code “CreatePwdFileRandom2.java”. This piece of code uses the static method

already used on “CompareHashList2.java”which stores the ten passwords in an array as

“Usermanes” objcets. I create a modified version of the “Usernames” object that takes

now three parameters. It reads the ten-password list, uses a string tokenizer to separate

them into tokens in order to be able to store them in usernames objects. These objects are

going to be stored on an array in order to be easily accessible by other classes.

Another program named “compareSaltList.java” was created in order to compare

the created list of hashed salted U.S. diccionary word list with the list of 10 salted hashed

passords. This program works very similar to the one that compares hashed strings named

“hashedRandomPwd.txt”. Here is a snapshoot that proves that the program

“compareSaltList.java” was able to crack the list of salted passwords.