Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 10 Aug 2011 06:29:20 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: DES vs 8-bit

On Wed, Aug 10, 2011 at 12:58:15AM +0200, magnum wrote:
> This is quoted from last years contest writeup (by Solar):
> 
> "Another issue was with DES-based crypt hashes, which process only 7 
> bits of each character (ignoring the 8th bit). This means that for a 
> given valid passwords, many variations of it are possible (with the 8th 
> bit of every character possibly flipped), most of which will not match 
> those on Kore's list of correct passwords, yet all of them are correct."
> 
> 
> Wouldn't it be more logical if JtR itself would strip the 8th bit before 
> reporting the cracked password? I think this is comparable to LM, where 
> an input of "foo" will be cracked and reported as "FOO"?

I had thought of that, and I think that no, or at least such conversion
should not be enforced (it may be available as an option).  Here are
some problems with it:

1. It is useful to know what non-English word a password was based on,
if/when any.  Passwords that JtR tries are usually not random, but are
based on wordlists or character frequencies, so chances are that cracked
passwords are what the users set them to, even if the 8th bit is not
actually checked.

2. How do we handle 0x80, which would become NUL and thus terminate the
C strings?  Not only in JtR itself, but also in other programs written
in C or using libraries written in C, when used to process john.pot or
"john --show" output.  So we'd have to make an exception for 0x80 anyway.

3. Some chars in the 0x80 to 0x9f range, while formally control chars,
are actually not as dangerous to the terminal (or not supported by a
given terminal at all) as the corresponding chars in the 0 to 0x1f range
would be.  This is especially true if the terminal is configured for an
8-bit encoding where this range is used for non-control chars, such as
cp1251.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ