Science Buddies: "Ask an Expert"

Hello, I am a parent helping my 7th grader with the science project. "Passwords, how easily can your password be hacked". When we enter a 6 character password, we let it run for a couple days, but the brute force method (method 2) failed. Why? Won't brute force eventually work? They were only lower case letters in the password.

Also from the code it looks like an error should be returned if password0 is more than 8 characters. However, we entered an 11 character password (once again all lower case letters) and it did not give an error and said it was searching a "6 character" password. We let it run for 2 days before it came back and said it failed. Curiously enough it printed the message that it was searching for a "6 character password" on this 11 character password and also the 8 character password I first mentioned...am i missing something. Is it not counting the number of characters correctly? Thanks for the help. Cherie

Hi Cherie:

1) Did you get it to work with 4 and 5 character passwords? The amount of time required to crack the password using brute force grows exponentially with each added character (as explained in the beginning of the procedure). So if it took a few hours to crack a 5 character password, it wouldn't be surprising if it takes days to do 6.

2) I don't have the code in front of me, but the error checking might not be perfect. I've never tried entering a password longer than 8 characters so I'm not sure what happens. Did you actually want to test an 11 character password, or were you just seeing if it would generate an error?

3) One clarification - at the end of your post you said "also the 8 character password I first mentioned" - but the password you mentioned first was 6 characters - so was one of those a typo?

Thanks,

Ben

Hi there. Yes we were successful in 4 character passwords. It was solved in a half hour or less. By design, will the program fail if it takes too long? Ie, like it did with our 8 character pw? That's the only reason i could think that it came back as "method 2 didn't work" since I would think brute force would always work in theory...
And it was a typo to answer your question. Our password we tried was 8 characters...and it reported a 6 character password. Also, for the 11 character password, we didn't know the program was not supposed to work...just when i looked at the code later I saw it was supposed to fail...anyway, I wasn't sure if the character count was affecting results in another way. Thanks, regardless it's been a great experiment!

Hi Cherie - I'm answering this from memory without having the code open in front of me. First, if four characters took half an hour, then it definitely wouldn't surprise me if 8 characters took days. Second - brute force will only "always" work IF you're telling it to search through all possible characters. For example, if your brute force algorithm only searches for letters and numbers, but the password contains punctuation characters like !@#$%^&*(), then it will never find the password. I forget which methods in the program use which characters, but that could also cause some unexpected behavior.

Let us know if you have more questions!

Thank you for your response. The 8 character password that ran for 2.5 days that failed with brute force was just lower case letters. No special characters. From the code Method 2 does try all upper, lower case characters and digits. Maybe the program "errors out" somehow after a time before trying all the options? Thanks for any other ideas...

Hmm - if it's just lower case letters, I do think it would work eventually. To the best of my knowledge there's no upper time limit. Did you make any other modifications to the code beyond entering that 8-character password? If you made other changes that could have possibly messed something up, you can always re-download the original code and start fresh.

Just to clarify - at this point, you got it to work for 4, 5, 6, and 7 character passwords? It's only the 8 character password that's giving you trouble? One possibility to test if method 2 is working with an 8 character password is to just make the password something like "aaaaaaaa" so it should find it right away, instead of taking days to cycle through to the right combination (double-check the code to see which characters it checks first). That way you don't have to wait 2.5 days for the results.

Hi there...it worked for the 1 and 3 character password. It took a few seconds to find using Brute Force. It failed on the 8 and 11 character password. I am trying now "AAAAAA" a 6 character password to see what happens. From the code can you tell me the order that it tries...is it blank space and then "A". I'm not sure what the "array" functions does if it starts searching with numbers?? Thanks. Here the snippit of the code...

print("Using method 2 and searching with "+str(num_pass_wheels)+" characters.")
wheel = " ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
# we only allow up to 8 wheels for each password for now
if (num_pass_wheels > 8 ):
print("Unable to handle the request. No more than 8 characters for a password")
still_searching = False
else:
if show_instructions:
print("WARNING: a brute-force search can take a long time to run!")
print("Try letting this part of the program run for a while (even overnight).")
print("Press ctrl+C to stop the program.")
print("Read the comments in Method 2 of the program for more information.")
print()

# set all of the wheels to the first position
pass_wheel_array=array('i',[1,0,0,0,0,0,0,0,0])

Hi Cherie - to clarify, when you say "it failed on the 8 and 11 character password," do you mean it took forever to run so you gave up and canceled it? Or it returned a message saying it didn't find the password? What did you try for the 8 character password?

Also, when you try to use an 11 character password, based on the code it should print the message "Unable to handle the request. No more than 8 characters for a password" on the screen. Does that happen?

Thanks for following up on this...I did not end the program in any of the failed tests, it just reported "method2 did not work" (nor did any other method work). I tested AAAAAAA (7 char), AAAAAAAA (8 char) and it ran for about 2.5 days and reported "method 2 did not work". The AAAAAA (6 char) was found by method2 in 52 minutes. No error message that it couldn't handle the 11 character password, just runs for 2.5 days and reported "method 2 did not work" as well.

Also another interesting thing that may or may not be related is no matter the length of my password (password0), it reports "using method 2 and searching with 6 characters". It doesn't seem to be reporting the length of the password correctly??

Hmm - that definitely doesn't seem right, and doesn't match what I remember about running the code (I remember it correctly reporting the number of characters, not always reporting 6). Did you intentionally modify anything else in the code? It might be worth re-downloading all the files to a new folder and starting fresh, just in case you changed something by accident.