My Fiancée is Using Better Passwords Than Me!

I upgraded my Mac laptop to OS X 10.8 Mountain Lion a few weeks ago, and at the same time I decided to turn on FileVault for (almost) full disk encryption. I’m not paranoid, but If I want to get into infosec, I should at least try to be secure myself.

Around the same time my fiancée had said that her Windows laptop was running slow, and then her hotmail account got compromised. I checked her laptop for anything malicious (all seemed ok) but I didn’t have time to try and find out why it was running slow right then, so I set her up with an account on my Mac laptop. I had not enforced any password policy on my Mac laptop (I’m not even sure how to do that – I’ll have to find out soon), so I asked her if she would mind telling me what password she had used because her password would be able to unlock the FileVault (almost) full disk encryption and her password could be the weak link.

She obviously trusts me because she told me, and I knew from experience with John The Ripper/Hascat/etc that it would easily be cracked using brute force by the proper tools in a matter of seconds because it followed a very common pattern. It turned out that her hotmail account was using a similarly simple password, so it was no great surprise that it had been compromised.

I explained with the help of this great XKCD comic that a password can be hard to crack, but easy to remember:

She is now using a passwords around 30 characters long! This means some of her passwords are probably stronger than some of mine… I have some catching up to do!

Hack This Site Realistic 6

I’ve been working my way through the missions on, and for realistic 6 I needed to write a simple program to decrypt messages encoded using the XECryption algorithm.

I must admit that I had no idea how to go about decrypting the message, so I got a hint from here and then wrote my own javascript powered web page to decode the message.

I’ve put my script up here, not so that you can cheat, but in the hope that you might be able to learn something by viewing the source and testing it below, but first some notes:

  • It is a quick and dirty script with no sanitising or error checking.
  • It assumes that the most common character in the message is a space, so it will not work in all cases (e.g. single words), but should work in most realistic cases.
  • It is not here so that you can cheat, it is here in order that you might be able to learn by looking at the JavaScript source code.

The source:

function XUcrypt(XEcryptString) {
    var XEcryptValues = XEcryptString.substring(1).split(".");  //remove first "." character and put numbers into array
    var XEcryptChars = []; //create array for encrypted characters
    var modeMap = {}; //create map of array occurrences
    var maxCount = 1; //create count var for tracking highest
    var mode; //create mode var to keep track of which is the highest occurring character
    var decoded = ""; //create decoded var for the decoded string
    /*loop adds sum of each group of three numbers to array and creates a map of the values and the number of times they
    occur in order to calculate the mode-average which _should_ be the space character*/
    for (var i = 0; i < XEcryptValues.length / 3; i++) {
        var j = 0;
        for (var k = 0; k < 3; k++) {
            j += parseInt(XEcryptValues[k+3*i]);
        XEcryptChars[i] = j;
        if (modeMap[j] == null) {
            modeMap[j] = 1;
        } else {
            if (modeMap[j] > maxCount) {
                maxCount = modeMap[j];
                mode = j;
    var key = mode-32; //the key is the number of the mode common encrypted charater minus the ASCII code for a space
    for (var i=0; i<XEcryptChars.length; i++) { //for every array entry, type the decoded ascii character
        decoded += String.fromCharCode(XEcryptChars[i]-key);
    return decoded;

The demo:

Encoded message:

Decoded message: