Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 Jul 2005 17:23:09 +0000 (UTC)
From:  Ikari <deug1a@...oo.fr>
To: john-users@...ts.openwall.com
Subject:  Re: understanding the encryption method

        Lyn Scott <lindey_scott@...> writes:

> 
> 
> Hi all,
> 
> I have an OpenUnix 8.0.0 box and i am trying to check
> the /etc/shadow. I have an user (e.g something like
> this user_1:ThnJx./KPgulI) so am i rigth if i suppose
> that crypt/DES is used ('cause the string is 13 char
> long/with Th is my Salt). When i check the john.pot it
> gives me a result for my usrer_1 (e.g my_passw). But
> my real password for user_1 is not my_passw but
> my_passwd. So how can you use john for password longer
> as 8 char (using crypt/DES).
> I have another question... I have another Linux box
> (Suse9.2) The /etc/shadow is encrypted using BlowFish.
> How can I recognize if the Password is encrypted using
> BlowFish or DES.
> 
> thx in advance
> 
> 		
> __________________________________ 
> Yahoo! Mail 
> Stay connected, organized, and protected. Take the tour: 
> http://tour.mail.yahoo.com/mailtour.html 
> 
> 


Hello,



        Concerning your first question : generally old systems like the 
OpenUnix you're quoting are using old DES encryption scheme which limits the 
size of the password to 8 characters. So even if you enter a 15 chars long 
password it will automatically be truncated to 8 chars by the system and 
only those 8 chars are then encrypted.



So don't worry john has found the right password. Anyway to go further on 
this question on systems using schemes like MD5, blowfish... password can be 
longer and to tell john to go beyond 8 chars you'll have to modify one or 
more sections of john.ini to set max password length not to 8 but to 
whatever you want. Anyway i don't think you'll find a password longer than 8 
un less you know part of it...



        Concerning your second question : when you supply the password file 
using to john it should automatically tell you which crypt scheme has been 
used. Furthermore to distinguish DES from Blowfish: blowfish encrypted 
passwords are generally a very long string with one or several $ in the 
beginning of this string.





              I hope this answers helps you.



                    See you.



                            Ikari.


Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ