Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2005 16:28:29 -0400
From: Jim Brown <>
Subject: Secure Mode for John

Hi All,

I've used john in an enterprise environment as a strong 
password compliance tool and I've had these concerns:

1. The passwords are visibly displayed.
2. The .pot file contains password data that can be displayed
   by running john at a later time.
3. john (and a large wordlist) will run forever.

Ideally, all I want to know is if john can crack a password
for an account in X time.  If it can, the account password
is held insecure and should be changed.

Because of the above concerns, I've had to build a perl wrapper
around john that reads john output (removing the password),
continuously deletes the .pot file, and kills john after some
variable time period.

I'd be interested in hearing others thoughts on a mode for john
that addresses the concerns- i.e. a 'safe mode'.

 * No passwords would be displayed, or stored at all.  
 * Only account names would be output (with optional time-to-crack).
 * John dies after a configurable time period.

Best Regards,
Jim B.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ