Date: Tue, 21 Jun 2005 16:28:29 -0400 From: Jim Brown <jpb@...shooter.v6.thrupoint.net> To: john-users@...ts.openwall.com Subject: Secure Mode for John Hi All, I've used john in an enterprise environment as a strong password compliance tool and I've had these concerns: 1. The passwords are visibly displayed. 2. The .pot file contains password data that can be displayed by running john at a later time. 3. john (and a large wordlist) will run forever. Ideally, all I want to know is if john can crack a password for an account in X time. If it can, the account password is held insecure and should be changed. Because of the above concerns, I've had to build a perl wrapper around john that reads john output (removing the password), continuously deletes the .pot file, and kills john after some variable time period. I'd be interested in hearing others thoughts on a mode for john that addresses the concerns- i.e. a 'safe mode'. * No passwords would be displayed, or stored at all. * Only account names would be output (with optional time-to-crack). * John dies after a configurable time period. Best Regards, Jim B.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ