Date: Thu, 23 Aug 2012 18:50:21 +0200 From: magnum <john.magnum@...hmail.com> To: john-dev@...ts.openwall.com Subject: Re: How should one select PLAINTEXT_LENGTH in a format On 2012-08-23 18:14, Lukas Odzioba wrote: > 2012/8/23 Claudio André <claudioandre.br@...il.com>: >> How do i choose a number to use as the maximum length of a plaintext >> password. 16, 24, 32, ...? >> >> Do you guys have a rule? Or, at least, advices? > > Technically it should be as big as you can make. However some formats > have specific optimizations for shorter passwords. I use something > like that (not always - mea culpa) > > - If you can handle looooooooong passwords, without speed drop for > shorter ones do it > - Today we should support at least 15chars, considering last crack me > if you can contest it is good to have 20+ > - On gpu's 15,31 usually works good because reads are nicely aligned > if you add one more byte to store lenght. > - It is good to have tests up to supported length. > - When you choose something it is good to make sure that your code can > really handle it - you can try add some tests to TS. I agree with everything, just want to add a couple of things: The max length that can currently be supported in JtR is 125 due to core limitations. And more important, sometimes there is an algorithm block size that gives a natural limit: For SHA-1, MD4 and MD5, the block size is 64 and passwords longer than 55 bytes need more than one call to the function. For SHA-2 I believe it's more than 125 so it's no issue. For Unicode/UCS-2 formats (NT) that size is obviously halfed, and that's exactly why NT (which is just a raw MD4 of password encoded in UCS-2) has a max length of 27. magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.