Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 12 Aug 2017 06:26:00 -0800
From: Royce Williams <royce@...ho.org>
To: john-users@...ts.openwall.com
Subject: Re: practical limits on password length?

Hey, Matt!

On Fri, Aug 11, 2017 at 4:50 PM, Matt Weir <cweir@...edu> wrote:

> That's a loaded question there ;p

Indeed! :)

> 1) There are hash specific character limits
>
> 2) There are rule limits
>
> 3) There are attack type (such as incremental) limits
>
> These three types while largely independent can combine in unexpected ways
> . Most of the time for items like incremental that largely doesn't matter.
> For example you aren't going to have much success brute forcing a 257 char
> password. Having the different formats max lengths easily listed would be
> nice though.

Fair points. In this case, I'd intended to try a straight wordlist
attack for my frivolous test.

> Now showing my ignorance, the value in Params.h I thought also had to do
> with the number of character types (aka non ASCII) for incremental mode. So
> I could be way off in my response ;p You might want to use --Markov mode
> instead if you are hitting the char type + length limit of Incremental.

I was naively following this advice from 2007, which still looked applicable:

http://www.openwall.com/lists/john-users/2007/01/28/1

... but I read it too fast. :/

Using Patrick's (informative!) suggestion downthread, I see:

Format label                         Raw-MD5-opencl
Max. password length                 18 [worst case UTF-8] to 55 [ASCII]

And now that I know what it's for, increasing CHARSET_LENGTH
(currently 24, used for incremental) is obviously not needed. :)

So I'll just test assuming that 55 is the max for ASCII for this format.

Royce

> On Friday, August 11, 2017, Royce Williams <royce@...ho.org> wrote:
>
> > What are the practical limits on password length? Are they docuumented
> > anywhere? I assume that some of them are attack- and/or format-specific?
> >
> > I read about changing params.h and generating a charset, so I decided to
> > frivolously specify 257 chars max as a test. Jumbo john compiled OK, but
> > the --make-charset has been running for an hour with no end in sight.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ