Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Dec 2006 00:18:04 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: is it allowed to ask help to crack 1 or 2 HASH in this list ?

On Thu, Dec 28, 2006 at 10:10:08AM +0100, websiteaccess wrote:
>  I have 1 or 2 HASH (raw-md5) that I can't crack (not enough processor 
> power may be?, wrong wordlist, wrong rules ?).
>  Can I post these HASH in this list and get some help ?

This issue was raised in here before.  Here are a couple of responses:

	http://www.openwall.com/lists/john-users/2006/10/13/4
	http://www.openwall.com/lists/john-users/2006/10/14/1

I've also received similar responses via private e-mail.

Basically, no current subscriber to john-users (as of two and a half
months ago) expressed any objections to postings of this kind, so I see
no reason to disallow all of such postings just yet.  However, you also
should not expect to get help - or at least not expect to have the
hashes cracked for you.  As one of the messages referenced above says,
"I wouldn't post back the password if I found it" - and I find that just
reasonable.

When you post in here, you need to consider how either your posting or
expected responses help _other_ list members.  If you ask an advanced
question on how to use JtR, then any possible answers might be helpful
to others as well.  However, what use is a cracked password for
who-knows-what (or for some specific resource that can't be legitimately
accessed anyway and that is not relevant to the topic of this mailing
list, for that matter)?  Well, it can be of some limited use in some
special cases, such as the one described here:

	http://www.openwall.com/lists/john-users/2006/05/27/2

Apparently, some people find the hashes themselves to be of some limited
use too (as a challenge or test material), but I guess this only works
as long as we're not flooded with those hashes.

Oh, I've actually rejected a posting with an excerpt from a likely
stolen password file with some easily crackable hashes.  The message
claimed that those hashes were hard to crack, which was not true.  What
do others think - should this kind of postings be allowed, too, such as
to provide test material (although there's plenty of it available with
Google if you use the right keywords)?  Should the moderators bother to
check whether the hashes are in fact not trivial to crack before
accepting or rejecting a posting?  I certainly don't expect to always
have the time for that.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ