Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Apr 2015 09:10:55 +0200
From: Frank Dittrich <frank.dittrich@...lbox.org>
To: john-dev@...ts.openwall.com
Subject: Wordlist mode ignoring lines that start with "#!comment" (was: Improving
 Johnny)

On 04/19/2015 09:06 PM, Solar Designer wrote:
> Calling it a vulnerability for that reason is overkill.  Otherwise we'd
> also have to call John's processing of "#!comment:" in wordlists a
> vulnerability, because someone may deliberately prefix their password
> with that string to avoid having it cracked specifically with John.

Currently, words starting with "#!comment" are ignored, the ':' is not
required.
Actually, I thought about it as a "vulnerability" for quite some time,
but so far I never mentioned my concerns.
During password cracking contests, there might be someone who tries to
exploit this.
May be the strncmp(cp, "#!comment", 9) should only be done at the top of
the word list, until you find a different word.
And for jumbo, loopback mode shouldn't skip "#!comment" words, either.

Frank

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ