Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 11:47:34 -0500
From: JimF <jfoug@....net>
To: john-dev@...ts.openwall.com
Subject: Re: New single mode rules

On Mon, 24 Aug 2015 11:34:50 -0500, JimF <jfoug@....net> wrote:

> On Mon, 24 Aug 2015 10:27:24 -0500, Frank Dittrich  
> <frank.dittrich@...lbox.org> wrote:
>
>> On 08/24/2015 04:55 PM, JimF wrote:
>>> # this is a good rule on larger sites where a user ID may already be  
>>> used,
>>> # so a user simply appends numbers to create his loginID, but then  
>>> uses the
>>> # login name he wanted as basis for password. Just strip off digits and
>>> treat
>>> # the base-word to some manipulation. These rules found from the Asley
>>> # Madison leak.  Only adds about 30 tests and only to user names that  
>>> have
>>> # digits contained within them, and cracks quite a few.
>>> /?d @?d
>>
>> Good rule when users are allowed to pick their own user name, but their
>> favorite name has already been used by someone else.
>> But I would require a min length that has to remain after removing the
>> digits.
>
> Frank, thanks for the suggestions.  How about this ruleset.  Note I also
> added : also, which if there is mixed case, it also uses the exact base  
> in
> the mangling.
>
> /?d @?d >4
> /?d @?d >4 M [lc] Q
> @?D Q >4
> /?d M @?d >3 <* [:lc] $[0-9] Q
> /?d M @?d >2 <- [:lc] Q Az"12"
> /?d M @?d >1 [:lc] Q Az"123" <+
> /?d @?d >2 M [:lc] Q d <+
> (?a )?d /?d 'p Xpz0
> )?a (?d /?a 'p Xpz0
>
> I would like to get updates in, before committing to git again.  Your
> suggestions about length were great, as are the 3 new rules.

To get the ':' to not print dupes, I had to split them out.  This ruleset
does what I expected the above to do.

/?d @?d >4
@?D Q >4
/?d @?d >4 M [lc] Q
/?d @?d >3 <* $[0-9] Q
/?d @?d M >3 <* [lc] Q $[0-9]
/?d @?d >3 <- Az"12" Q
/?d @?d M >3 <- [lc] Q Az"12"
/?d @?d >3 Az"123" Q <+
/?d @?d M >3 [lc] Q Az"123" <+
/?d @?d >2 d Q <+
/?d @?d >2 M [lc] Q d<+
(?a )?d /?d 'p Xpz0
)?a (?d /?a 'p Xpz0

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.