How to test passwords against a word list with fuzzing

security password password-management

How can I test passwords against a dictionary / word list, where the entries have been fuzzed to some degree?

By "fuzzed", I mean variants of words with "l33t" conversions and other character conversions are included in the check.

Ideally, I would like to pass in a password value, have the utility check the password, and return a yes/no value.


Solution 1:

John the Ripper has modes which can be used to test password strength against a fuzzed list. It supports creating your own fuzzing rules, and uses whatever dictionaries you provide. It comes by default with a large set of common fuzzing rules installed, including 1337 transformation, word flipping, doubling, uppercasing, simple number/symbol appending, etc.

Solution 2:

If you search google for your password and you find even 1 result, then you have chosen a weak password. NO ONE should know your password, even if they don't know that its yours.

For testing remote system for weak passwords I highly recommend THC-Hydra. I have used this software in penetration tests with great success.

Related

Setup redundant iSCSI network with 2 switches, SAN and ESX
How do I find out if mod_security is installed on my apache server?
sudo chown - prevent ../
How do I format a text file for IIS Mailroot Pickup so that it sends an e-mail with attachments?
Forward mDns from one subnet to another?
How can I stop pulseaudio from filling /var/log/messages with ratelimit.c suppressed lines under Ubuntu 9.10 [closed]
Deploying workstations - best practices?
Can I swap round a built wall in Rust from soft side to hard side?
Does steam track network usage in megabytes per second or megabits?
How do I find tempered monsters?
Will I need DLC to play TW: Warhammer 1 factions in TW: Warhammer 2?
What can I do during a typhoon/blizzard?