On Ubuntu 12.04 I created several users and passwords, then promptly proceeded to try to crack those passwords with John the ripper. One password is very strong, but the others are in my wordlists.
John is still running, but I've got two cracked so far in about 20 minutes.
Everything I read talks about whether the salt is known or not. Take this hash for example:
john:$6$YiP34XiXdXyh9fZn$JrbLMb.VGncFzEyBlz5YsKUim.UE5JLPvFhfcgAH4lz.usOrh.lic8IrQx0PRMIvIIIK4KnaTs9fiEXwNOLJ1/:1003:1003:John,,,:/The salt is:
YiP34XiXdXyh9fZn , right? I mean, isn't it always known? So a salt really doesn't do anything but protect against using rainbow tables, right?
Also, there is this post:
How long to brute force a salted SHA-512 hash? (salt provided)
According to that, a sha512 essentially cannot be cracked at all unless the password is in a wordlist. That post is about a year old, anyone have any new insights? I'm finding it difficult to find good resources about cracking hashes; all the information out there is about generating hashes and protecting passwords.