Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 May 2013 11:27:03 +1000
From: Michael Samuel <mik@...net.net>
To: john-users@...ts.openwall.com
Subject: Re: Random passwords with modulo bias

I've been doing some audits of random password generators, and so far
have not found any that have both a secure entropy source and avoid
modulo bias. (I haven't looked at pwqgen yet)

In a few cases the authors have taken me to task, wanting exact
numbers on how much worse their random passwords are.  I was hoping
somebody had done a good write-up on this (preferably as a powerpoint
that I could just point them to).

On 21 May 2013 09:31, Solar Designer <solar@...nwall.com> wrote:
> On Tue, May 21, 2013 at 08:44:36AM +1000, Michael Samuel wrote:
>> I was wondering if JtR can be tuned to attack random passwords where
>> the random password generator is known and has modulo bias?
>
> Yes.  The easiest way is to train its incremental mode on a large set of
> such passwords.
>
>> I've been having trouble finding papers/talks on the subject, which
>> surprised me.
>
> I guess the issue is considered too simple by those who are aware of it,
> and the rest would not write/talk about it because they're unaware of it.
>
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.