Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 23 Jan 2013 18:25:06 +0100
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Min password length

On 23 Jan, 2013, at 16:26 , jfoug@....net wrote:
> ---- Frank Dittrich <frank_dittrich@...mail.com> wrote: 
>> On 01/23/2013 02:45 PM, jfoug@....net wrote:
>>> What about formats which have a min password length?  Do we have a mechanism to tell JtR to not try any words that are shorter than X bytes long?  I know we have external filters to force this, but that is not the question.  Do we have a way to automatically do this?
>>> 
>>> There are algorithms that specify minimal, so trying words less than the min length is a total waste of resources.
>> 
>> What formats are affected?
> 
> WPAPSK or sure.  In it's specification, it lists 8 character PW min.
> 
>> Do you know for sure that older versions of the OS or application didn't
>> allow shorter passwords?
> 
> Yes, it is spec'd to this.  I do not believe any router or other AP will allow a pass to be set < 8 chars.

The git versions of Jumbo has a --min-length=N option that does what you want - except that formats should also be able to default to > 0 on their own.

The --min-length=N option will affect modes that already had such notion (ie. Incremental and Markov) and it will also affect Single and Wordlist modes in that they will drop words shorter than N (after applying rules, if applicable).

So the only thing "missing" is that we might want to add a min-length parameter to the format struct (and perhaps rename the existing one). Maybe Solar agrees to include this with all the other struct changes.

BTW the --max-length=N option also affects Markov's and Incremental's existing notions, and it makes Single/Wordlist *drop* candidates longer than N (after applying any rules) as opposed to truncating them, which happens if you hit the format's limit.

I am not aware of any current formats other than wpapsk that really needs a set minimum length. Until the format struct supports it, we could add a hack somewhere in the main code, for automatically forcing --min-length=8 for that format.

BTW we need some systematic testing of these new options.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.