Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Aug 2012 18:50:21 +0200
From: magnum <>
Subject: Re: How should one select PLAINTEXT_LENGTH in a format

On 2012-08-23 18:14, Lukas Odzioba wrote:
> 2012/8/23 Claudio André <>:
>> How do i choose a number to use as the maximum length of a plaintext
>> password. 16, 24, 32, ...?
>> Do you guys have a rule? Or, at least, advices?
> Technically it should be as big as you can make. However some formats
> have specific optimizations for shorter passwords. I use something
> like that (not always - mea culpa)
> - If you can handle looooooooong passwords, without speed drop for
> shorter ones do it
> - Today we should support at least 15chars, considering last crack me
> if you can contest it is good to have 20+
> - On gpu's 15,31 usually works good because reads are nicely aligned
> if you add one more byte to store lenght.
> - It is good to have tests up to supported length.
> - When you choose something it is good to make sure that your code can
> really handle it - you can  try add some tests to TS.

I agree with everything, just want to add a couple of things: The max
length that can currently be supported in JtR is 125 due to core
limitations. And more important, sometimes there is an algorithm block
size that gives a natural limit: For SHA-1, MD4 and MD5, the block size
is 64 and passwords longer than 55 bytes need more than one call to the
function. For SHA-2 I believe it's more than 125 so it's no issue. For
Unicode/UCS-2 formats (NT) that size is obviously halfed, and that's
exactly why NT (which is just a raw MD4 of password encoded in UCS-2)
has a max length of 27.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.