Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Jun 2005 21:37:43 +0400
From: Solar Designer <>
Cc: Tim Newsham <>
Subject: Re: Cracking japanese passwords?

Hi Tim,

Sorry for the delayed response.  I am handling these in batches, as
you can see. ;-)

It's nice to see you post here.  It'd be even better if you also were
subscribed; it's not hard for me to copy you on this response knowing
that you are not on the list, but others wouldn't know.

On Mon, Jun 06, 2005 at 03:14:38PM -1000, Tim Newsham wrote:
> The idea is based on a realization that there arent very many
> japanese letters and they are usually represented by combinations
> of two or three roman letters.  Enumerating all possible combinations
> of these letters that results in unique strings up to 8 characters
> long should be fairly easy to do.  I count about 100 unique combinations
> that one, two or three characters long.  If you look at all 4-character
> combinations that is only 100^4, which is a very small space.

That's a good idea!

> So, how hard would it be to write John rules that would generate
> all combinations of up to four "words" taken from a wordlist of
> 100 items?

This doesn't fit into the wordlist rules concept well.

> Would it be better to write a custom generator for this?


> Does John have such hooks for adding generators?

John has support for so-called "external mode" where you'd write a
generate() function in a C-like language.  This works great for
enumerating combinations of characters, but the generate() function to
implement your idea would not look pretty (although it'd work) since
the language is lacking a string type (you'd have to deal with
individual characters, like you would in C with no pre-defined strings

Alternatively, if you don't mind messing with John source code, you
could implement a whole new cracking mode for Japanese passwords.
You can check out external.c: do_external_crack() and wordlist.c:
do_wordlist_crack() (and other functions in those source files) for
a couple of examples.

But it'd be easiest to implement your idea with an external script,
such as in Perl.  You'd feed the output of such a script into
"john --stdin ..." (if you do not require crash recovery) or you'd
save it in a file and use that as a wordlist.  For the numbers you've
provided above, the file size would be around 1 GB.

Now, an idea you might not have considered: place all possible
Japanese-like passwords into a fake john.pot, then use that to
generate a japanese.chr.  Then define a new "incremental" mode and use
that.  The new mode won't be limited to trying the passwords that were
generated (although most of these will be tried earlier than others),
but it'd also catch misspellings.

Any possible implementation of this would be a welcome contribution.


Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ