Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 21 Feb 2014 00:46:05 +0100
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Secure Mode for John

On 2014-02-21 00:25, Mark Butler wrote:
>> Date: Tue, 21 Jun 2005 16:28:29 -0400
>> From: Jim Brown <jpb@...shooter.v6.thrupoint.net>
>>
>> I've used john in an enterprise environment as a strong
>> password compliance tool and I've had these concerns:
>>
>> 1. The passwords are visibly displayed.
>> 2. The .pot file contains password data that can be displayed
>>     by running john at a later time.
>
> I would like to revisit the above. Ideally I would like a setting in
> john.conf to be able to turn on Secure Mode for john. I would envisage that
> when it is set, instead of john passing back the clear text password, it
> would pass back attributes of the password instead. Things like length,
> mode john is running in (Single crack [S], Wordlist [W], Incremental [I],
> External [E]) and the rule matched in that mode. eg: L8-W-R13 for a
> password 8 characters in length, cracked in Wordlist mode using rule 13.
> Hopefully all this information is available to john at the time the
> password is cracked.

Cool idea. We'd have the problem due to parallel buffering that the 
"current" rule might be ahead of what rule actually created the 
candidate that cracked a hash. We could give a rougher indication for 
those cases, eg. L8-W-R<=13 for your example, or L8-W-R=13 when certain.

> The flow on effect would be the .pot file would include the encrypted
> password with password attributes instead of the clear text password.

This might be fairly trivial. I'll put it on our to-do list.

> The advantages for me would be since no actual passwords are being stored
> or transmitted by john in this Secure Mode, then it would open the
> possibility to be able to run it in less secure environments, eg home.

Personally I would regard even bare hashes just as sensitive, I would 
not recommend taking them "home". But it's still a good idea.

magnum


Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ