Date: Fri, 29 Dec 2006 00:18:04 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: is it allowed to ask help to crack 1 or 2 HASH in this list ? On Thu, Dec 28, 2006 at 10:10:08AM +0100, websiteaccess wrote: > I have 1 or 2 HASH (raw-md5) that I can't crack (not enough processor > power may be?, wrong wordlist, wrong rules ?). > Can I post these HASH in this list and get some help ? This issue was raised in here before. Here are a couple of responses: http://www.openwall.com/lists/john-users/2006/10/13/4 http://www.openwall.com/lists/john-users/2006/10/14/1 I've also received similar responses via private e-mail. Basically, no current subscriber to john-users (as of two and a half months ago) expressed any objections to postings of this kind, so I see no reason to disallow all of such postings just yet. However, you also should not expect to get help - or at least not expect to have the hashes cracked for you. As one of the messages referenced above says, "I wouldn't post back the password if I found it" - and I find that just reasonable. When you post in here, you need to consider how either your posting or expected responses help _other_ list members. If you ask an advanced question on how to use JtR, then any possible answers might be helpful to others as well. However, what use is a cracked password for who-knows-what (or for some specific resource that can't be legitimately accessed anyway and that is not relevant to the topic of this mailing list, for that matter)? Well, it can be of some limited use in some special cases, such as the one described here: http://www.openwall.com/lists/john-users/2006/05/27/2 Apparently, some people find the hashes themselves to be of some limited use too (as a challenge or test material), but I guess this only works as long as we're not flooded with those hashes. Oh, I've actually rejected a posting with an excerpt from a likely stolen password file with some easily crackable hashes. The message claimed that those hashes were hard to crack, which was not true. What do others think - should this kind of postings be allowed, too, such as to provide test material (although there's plenty of it available with Google if you use the right keywords)? Should the moderators bother to check whether the hashes are in fact not trivial to crack before accepting or rejecting a posting? I certainly don't expect to always have the time for that. -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ