How incredibly easy it is to break (weak) passwords

Just a few minutes ago, my fried sent me an encrypted ZIP file and says "This ZIP file contains some artwork, but the password is distributed in a past, live event. And it's the birthday of the artist. 8 digits. Can you crack it?" Apprantly he can't find the password. "Sure" I said. I've learned in my cryptography and security class that 8 digit passwords are really easy to crack. Worst case I can iterate through all the possible combinations with BASH within a day. But I've heard this John the Ripper thing is really good at cracking passwords. So I decided to give it a try.

I dumped the hash with zip2john file.zip > password.hash and started cracking it with john password.hash. Firs I saw john decided to use the CPU only and to myself said, well I'll have to go to bed and see what happens tomorrow.

> ~/Documents/not-my-projects/john/run/john password.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status

But seconds later, just before I lunch htop to see what's going on, I see this:

Almost done: Processing the remaining buffered candidate passwords, if any.

Oh my. Then immediately (I removed the password and the filename , you hvae to trust me on this):

0g 0:00:00:03 DONE 1/3 (2023-08-03 01:24) 0g/s 16334p/s 16334c/s 16334C/s Ztail1900..Uzip1900
Proceeding with wordlist:/home/marty/Documents/not-my-projects/john/run/password.lst
Enabling duplicate candidate password suppressor
xxxxxxxx         (somefile.zip/xxxxxxx.png)
1g 0:00:00:20 DONE 2/3 (2023-08-03 01:24) 0g/s 2559Kp/s 2559Kc/s 2559KC/s 16212908..Nicole8208
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Boom! I got the password! It took 20 seconds to crack an 8 digit password. On an old workstation CPU! I'm not even using a GPU! And I'm not even using a wordlist! I'm brute forcing!

Just imagine that password is the only thing holding attackers back. Even though I have use very strong passowrds and have a passowrd manager. I'm legit scared by how fast I, a cracking amateur, can break it. I certainly hope that every password in existance are much stronger than this.

That is only until I realized. Credit/Debit card PINs are 4 to 8 digits long. I know, I know, it's different as the secure element prevents you from trying more than 3 times nor dumping the hash. But still, can we have actual, good authentication please? Like TOTP or U2F? Please?

=> =======

I'm probably overreacting and will be back to normal tomorrow. But.... welp.

Proxy Information
Original URL
gemini://gemini.clehaxze.tw/gemlog/2023/08-03-how-incredibly-easy-it-is-to-break-weak-password.gmi
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
1429.388901 milliseconds
Gemini-to-HTML Time
0.394865 milliseconds

This content has been proxied by September (ba2dc).