Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net

Openwall Project
bringing security into open environments

Software you can find here:

These (and a few other) packages are also available via FTP from ftp.openwall.com and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download.

The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file.

We publish security advisories, do presentations, offer a number of services, and accept donations.

We also maintain a wordlists collection for use with password crackers such as John the Ripper and with password recovery utilities, and a collection of pointers to password recovery resources on the Net.

Finally, we host community resources such as mailing lists and wiki for users of Openwall software and for other Open Source and computer security folks.

If you would like to be notified of updates to this website and the packages hosted here, you can subscribe to the announcement mailing list by sending an empty message to <announce-subscribe at lists.openwall.com> or entering your e-mail address below. You will be required to confirm your subscription by "replying" to the automated confirmation request that will be sent to you. You will be able to unsubscribe at any time and we will not use your e-mail address for any other purposes or share it with a third party. The list traffic is very low (1-2 messages a month). You may review past announcements here.

Your e-mail address:

November 18, 2009
We've learned that passwdqc releases are now being packaged for NetBSD. (Many other OS distributions have been doing it for years.)

There's a new ISO image of Owl-current for 32-bit x86 (generated on November 17) available on our FTP mirrors. It uses Linux 2.4.37.7-ow1 as its default kernel.

Solar Designer has published some source code snippets and frameworks (mostly in C), which he placed in the public domain. Please feel free to reuse these in your programs.

November 17, 2009
We've just released passwdqc 1.1.4, which we declare the new stable release. The changes since 1.1.3 are mostly limited to minor code and manual pages markup cleanups (such as for proper formatting on OpenBSD).

November 15, 2009
Linux 2.4.37.7-ow1 is out.

October 26, 2009
Fresh ISO images of Owl-current for x86 and x86-64 (generated on October 25) are available on our FTP mirrors. There are also direct download links on the Owl homepage. These ISOs use Linux 2.4.37.6-ow1 as the kernel, and, compared to last month's ISO snapshots, they contain updated versions of many packages (vsftpd, iptables, passwdqc, cpio, e2fsprogs, strace, VIM, and xinetd).

October 25, 2009
Linux 2.4.37.6-ow1 is out. The 2.4.37.6 kernel fixes a number of information leak vulnerabilities. One of these was already fixed in 2.4.37.5-ow1, and the remaining ones may or may not affect specific systems depending on both kernel and userspace configuration.

October 24, 2009
We've just setup an unofficial mirror of http://www.packetfactory.net. We did this because the main Packetfactory site appeared to have gone down "permanently" (staying down for about a year), whereas much of its content was still valuable. The Packetfactory was hosting a number of networking and network security projects (with a focus on raw IP networking) and related publications. All of this content is now available on the mirror, although some of the projects (the actively maintained ones) have since moved elsewhere.

October 23, 2009
passwdqc 1.1.3 introduces an "official" and documented way to build and install all components but the PAM module on systems without PAM. At the same time, we've enhanced the "personal login information" check to consider the user's home directory path and name (in addition to the username and full name), made the code even more portable, and relaxed the license even further.

October 17, 2009
passwdqc, our password/passphrase strength checking toolset, has been updated further to version 1.1.2. The changes since 1.1.0 are mostly focused on restoring portability to non-Linux platforms (which we broke with the introduction of lots of new functionality between 1.0.5 and 1.1.0) and on improving the "protocol" used by the pwqcheck and pwqgen programs. (passwdqc 1.1.x are considered "development" versions, although this is primarily because of their potentially more limited out-of-the-box portability. The current "stable" version is pam_passwdqc 1.0.5, which readily supports Linux, FreeBSD, Solaris, and HP-UX. Additionally, there's a plugin password strength checker for OpenBSD.)

October 15, 2009
We have revised the online version of «IPv6: What, Why, How», a presentation by Jen Linkova aka Furry. Most notably, we've introduced an index page with small but legible images of the 60 slides. The slides are clickable for higher-resolution and "live" versions (with up-to-date IPv4 address space exhaustion data from external sources).

The presentation covers topics such as IPv4 address distribution and address space exhaustion, current approaches at conserving IPv4 address space usage, IPv6 as the solution, IPv6 address format, examples, and address types, interface ID and address (auto)configuration, privacy concerns, IPv6 packet header format (in comparison to IPv4), fragmentation, ICMPv6 (and how it replaces multiple IPv4 control protocols), Neighbor Discovery (ND) and how to secure it, IPv6 & DNS, migration from IPv4 (including dual-stack nodes, tunneling, and address translation), related security concerns, a summary of advantages of IPv6, common misconceptions around IPv6, and more.

October 12, 2009
We have turned our pam_passwdqc package (which was up to version 1.0.5) into a password/passphrase strength checking toolset called simply passwdqc (now at version 1.1.0). Specifically, we have introduced libpasswdqc (a password/passphrase strength checking library), pwqcheck (a standalone password/passphrase strength checking program), and pwqgen (a standalone random passphrase generator program), in addition to the PAM module, which is now built upon libpasswdqc. We have also added the config=FILE option to allow for specifying the password/passphrase policy in a configuration file rather than on the command-line. Finally, we've revised the documentation, including introduction of manual pages for the new components. All of this is mostly due to work by Dmitry V. Levin (some of it originally for ALT Linux).

September 27, 2009
Steven M. Christensen of Sunfreeware has contributed John the Ripper 1.7.3.4 packages for many versions of Solaris, both SPARC and x86, including both 32-bit and 64-bit builds. These are now linked from the contributed resources list on the John the Ripper homepage.

September 20, 2009
John the Ripper 1.7.3.4 has been released, along with an update of the jumbo patch to this new version. The changes made since 1.7.3.1 are intended primarily for use by packagers of JtR, such as for *BSD "ports" and Linux distributions. Since version 1.7.3.1 has existed for a year and proved to be reliable, and since the changes between 1.7.3.1 and 1.7.3.4 are so minor, 1.7.3.4 is being declared the new "stable" release.

There are fresh ISO images of Owl-current (for x86 and x86-64) available on our FTP mirrors. These were generated on September 17, and they contain the package updates and build environment enhancements that we made lately (new versions of m4, Linux-PAM, bison, ed, Postfix, ELinks, GnuPG, JtR; a new tri-state setting in the build environment to control whether the testsuites are to be run).

September 8, 2009
We've just released minor updates of our password hashing frameworks, crypt_blowfish 1.0.3 (C/C++) and phpass 0.2 (PHP). Additionally, Dmitry V. Levin has contributed a patch integrating crypt_blowfish into glibc 2.10.1, now linked from the crypt_blowfish homepage.

Erik Winkler has contributed Win32 and Mac OS X builds of John the Ripper 1.7.3.1 with revision 6 of the jumbo patch. These are now found on the contributed resources list on the John the Ripper homepage.

Many unofficial John the Ripper patches have been developed lately, including JimF's generic MD5-based hash support stuff found on the wiki, and generic crypt(3) support intended primarily as an interim solution for cracking the new glibc/Fedora/Ubuntu "SHA-crypt" hashes.

August 31, 2009
The jumbo patch for John the Ripper 1.7.3.1 has been updated to revision 6. The changes are limited to fixes of known bugs in revision 5 of the patch.

August 25, 2009
There are new ISO images of Owl-current (for x86 and x86-64) available on our FTP mirrors. These use the Linux 2.4.37.5-ow1 kernel, and they contain various package updates that we made lately.

August 23, 2009
Linux 2.4.37.5-ow1 is out. The 2.4.37.5 kernel adds a fix for the Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692), which was not exploitable into privilege escalation as long as the vm.mmap_min_addr restriction was enabled (the default setting with our patches). More importantly, Linux 2.4.37.5-ow1 adds a fix for the sigaltstack local information leak affecting 64-bit kernel builds (CVE-2009-2847).

August 3, 2009
Linux 2.4.37.4-ow1 is out. The 2.4.37.4 kernel integrates a replacement for the "personality" hardening measure introduced in 2.4.37.3-ow1.

July 20, 2009
Linux 2.4.37.3-ow1 is out. Besides being an update to the new kernel release, this revision of the patch introduces an additional security hardening measure where the kernel will no longer allow the "personality" feature (which is needed to support some program binaries from other operating systems) to be abused to bypass the vm.mmap_min_addr restriction via SUID-root programs with a certain class of design errors in them.

July 19, 2009
Nmap 5.00, a major new version of the Nmap Security Scanner, has been released earlier this week, and we got it into Owl-current (on the release day, in fact). We have also released a new ISO-9660 image of Owl-current, including Nmap 5.00 (with our usual changes for privilege reduction and with some post-release fixes) usable right off the live CD (as well as installable indeed), and more. Please see the full announcement here.

July 7, 2009
Linux 2.4.37.2-ow1 is out. This is merely an update to the new kernel version.

At the same time, a new ISO image of Owl-current is made available, including an OpenSSH security update, a man-pages update, and two new packages (pciutils and dmidecode), along with the kernel update.

July 6, 2009
PHP 5.3.0 has been released, integrating our crypt_blowfish code right into default builds of the PHP interpreter. This is good news for users of our PHP password hashing framework, phpass, because it means that the bcrypt hashes preferred by phpass will be portable across systems running PHP 5.3.0+ (as well as portable to some systems running older versions of PHP, like before), and that fallbacks to weaker hash types will never occur on PHP 5.3.0+ (unless forced by the programmer). PHP 5.3.0+ also integrates our revision of the FreeSec code from the glibc package on Owl, implementing DES-based hashes. All of this is due to work by Pierre Joye. Finally, PHP 5.3.0+ replaces the integrated implementation of MD5 with one from popa3d for slightly better performance (e.g., of the phpass "portable hashes", which are MD5-based).

June 5, 2009
We've just setup a web page with some Owl-current live CD screenshots.

May 27, 2009
There are new ISO-9660 images of Owl-current for x86 and x86-64 available for download from our FTP mirrors. A lot of packages have been significantly updated and some new ones have been added since the last ISO snapshot mentioned in a news item. The Linux kernel has been updated to 2.4.37.1-ow1.

May 24, 2009
Linux 2.4.37.1-ow1 is out. Linux 2.4.37.1, compared to 2.4.35-ow2, adds numerous security-relevant fixes to various kernel subsystems.

April 29, 2009
A standalone program to call the password complexity checking functions of pam_passwdqc (e.g., from a script) has been contributed by Wolfram Wagner and added to the contributed resources list on the pam_passwdqc homepage.

April 8, 2009
Version 1.0.3 of our tcb suite implementing the alternative password shadowing scheme has been released. The changes since tcb 1.0 are limited to minor bug and reliability fixes.

On a related note, tcb has been integrated into Mandriva Linux 2009, whereas pam_passwdqc has been integrated into DragonFly BSD 2.2+. This is in addition to many OS distributions that had integrated these pieces of software before.

March 27, 2009
The collection of PWDUMP tools has been updated. These tools can be used to obtain password hashes from Windows systems for password security auditing or password recovery. PDFCrack, a free and Open Source command-line tool, has been added to the web page on PDF password crackers.

March 18, 2009
We have just published «IPv6: What, Why, How», a presentation by Jen Linkova aka Furry.

News archive (since 2001)

Quick Comment:

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux

2241567