In Episode 8 of my Linux Attack and Defense webinar series, I attack a Capture the Flag (CTF) virtual machine themed after the first Matrix movie. Over the course of the attack, I use a local file inclusion (LFI) vulnerability to pull the web server’s hashed password file. The password in that file “cracks,” that is, matches a hash, quite quickly. The rest of the attack hinges on this step. Now, with that said, as a red teamer and penetration tester with quite a bit of experience in password security, I’d like to talk about password strength. In the webinar, we dealt with an LFI vulnerability, but what about the ease with which we were able to crack a password? We were able to crack the password in just seconds. This is partly due to the hash choice used in a web server htaccess file, but the real culprit here was a dictionary word password, with letters changed to numbers. Not all passwords are created equal, not by far.