Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 Apr 2008 13:51:03 +0400
From: Solar Designer <>
Subject: [openwall-announce] JtR jumbo patch updates; phpass adoption; pam_passwdqc 1.0.5


This is to announce several Openwall news items related to our password
security tools.

1. Since the last announcement on this mailing list, there have been
major additions to the jumbo patch for John the Ripper 1.7.2, which is
now up to revision 12.  Erik Winkler and I have worked on merging the
patches, fixing bugs, testing, etc.  Support has been added for:

- Mac OS X 10.4+ salted SHA-1 hashes;
- two MS SQL hash types (by bartavelle);
- MySQL 4.1+ hashes based on SHA-1 (by Marti Raudsepp);
- Oracle hashes based on DES (by bartavelle);
- HMAC-MD5 (by bartavelle);
- LMv2 challenge/response (by JoMo-Kun);
- half-of-LM-response (by Dhirendra Singh Kholia);
- EPiServer SID hashes (by Johannes Gumbel);
- md5(md5($password) . $salt) as commonly used in PHP applications (by
Albert Veli).

This revision also includes a much faster implementation of old MySQL
hashes (by Balazs Bucsay and Peter Kasza).

As usual, the jumbo patch is found in the "contributed resources" list
on the John the Ripper homepage:

2. Our PHP password hashing framework - phpass - has been adopted by
several major web applications - phpBB3, WordPress, bbPress, and Drupal.
The first three have already made stable releases that use phpass
password hashes.  Drupal currently uses phpass password hashes in
development versions leading to the upcoming Drupal 7 release, and
there's also a module that makes phpass available with Drupal 5 & 6.
Specific information on the way these applications have integrated
phpass, as well as relevant links are available on the phpass homepage:

Also available on the above page is a Python module port of phpass 0.1
by Alexander Chemeris and a link to the Authen::Passphrase::PHPass
Perl module in CPAN by Andrew Main (Zefram).  These modules can be used
for checking passwords against existing phpass "portable" hashes from
scripts written in Python and Perl, respectively.

The development of phpass and efforts on getting it into Drupal have
been partially supported by CivicActions:

Yes, we're publicly acknowledging companies that fund our work on free
and Open Source software (unless we're asked otherwise). :-)

Additionally, I have contributed a faster MD5 implementation to PHP,
which should appear in PHP 5.3.0+, making phpass "portable" hashes a bit
more efficient on those newer versions of PHP.

3. A new minor release of our password strength checking module -
pam_passwdqc version 1.0.5 - is out.  In this version, the separator
characters (used for randomly generated "passphrases") have been
replaced with some of those defined by RFC 3986 as being safe within
"userinfo" part of URLs without encoding, the default minimum length for
passphrases has been reduced from 12 to 11 characters, and corrections
to the documentation have been made.  The homepage for pam_passwdqc is:

Currently, pam_passwdqc is known to work on Linux (with Linux-PAM),
FreeBSD (with OpenPAM - and in fact, pam_passwdqc is a part of FreeBSD),
Solaris 2.6+, and HP-UX 11+.  It may also work on other systems that use
PAM for password changing.

Alexander Peslyak <solar at>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15 - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ