Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 01 Jun 2015 01:34:30 +0200
From: Marek Wrzosek <marek.wrzosek@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Bleeding jumbo now defaults to UTF-8

W dniu 01.06.2015 o 00:44, magnum pisze:
> On 2015-05-31 16:09, Marek Wrzosek wrote:
>> Let's summarize what have changed. Before defaulting to UTF-8 in
>> john.pot were plain-texts and there was possible to use many encodings
>> in one wordlist. Moreover plain-texts were known, but information about
>> human-readable form of passwords was gone. After change john can use
>> only single-encoding wordlists, stores human-readable passwords in
>> john.pot, but plain-texts are gone and one will need to repeat cracking
>> passwords using many different target encodings. Just defaulting to
>> UTF-8 have solved some issues but have created new ones.
> 
> True. How often is the new defaults a problem IRL though? If you audit a
> system it will likely have just one encoding and you should have a good
> idea which is is.
> 
> magnum
> 
Can you guarantee that on some audited system that runs an Internet
service that is used by people from all over the world and they were
using different operating systems, they speak different languages and
still all passwords have just one encoding? It could be true today. But
was it true in the past?
For systems with mixed encodings old jumbo would crack all encodings
using e.g. all.lst on one run. New jumbo will need several runs and all
e.g. ASCII-only passwords will be repeated.
But if this is a problem of the past, let's leave it in the past.

Best Regards
-- 
Marek Wrzosek
marek.wrzosek@...il.com

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.