Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Oct 2011 09:16:12 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: filter performances

On Sun, Oct 16, 2011 at 10:55:32PM -0400, Rich Rumble wrote:
> Would generating an "all.chr" for a policy4 be as good as perhaps
> filtering Rockyou/Gawker/Facebook/etc (real world).I guess before
> asking that I should of asked, if using a "policy" chr file would make
> enough difference in time, I can see it doing so at first, but would
> that "advantage" not mean more than 1-2 hours off in the end?

Generating a custom .chr file using the external filter for policy is a
good idea.  The filter would also need to be applied while cracking, but
the percentage of passwords that it rejects early on will be a lot
lower.  In the unlikely event that you let incremental mode run to
completion (without cracking all passwords any sooner), there shouldn't
be any reduction in total run time (but no slowdown either).  However,
obtaining some good speedup early on is highly desirable.

On the topic of password policies in general, I've just created:

http://openwall.info/wiki/john/policy

The tables on that wiki page show just how password policies that
require either at least N character classes or at least N characters of
each class affect the total keyspace for each length.

For example, for printable US-ASCII (95 different characters) and length 8,
requiring at least 3 character classes (out of four: digits, lowercase
letters, uppercase letters, and other characters) reduces the keyspace
by only 5.5% (so it is a reasonable thing to do).  However, requiring at
least 2 characters of each class (which for length 8 implies exactly 2
characters of each class) reduces the keyspace for length 8 by a factor
of 52.9 (which is almost as bad as making passwords one character
shorter) and for length 9 by a factor of 17.6.

There's a lot more data on the wiki page, and I've included my revised
program used to compute those numbers as well.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.