Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 29 Jun 2015 12:17:37 -0400
From: Alain Espinosa <alainesp@...ta.cu>
To: john-dev@...ts.openwall.com
Subject: RE: Using Probabilistic Context Free Grammars (Was
 precomputed attacks)



-------- Original message --------
From: Matt Weir <cweir@...edu> 
Date:06/29/2015 11:09 AM (GMT-05:00) 
To: john-dev@...ts.openwall.com 
Cc: 
Subject: [john-dev] Using Probabilistic Context Free Grammars (Was precomputed attacks) 

...Now for the downsides. The overhead is pretty high so against fast hashes the increase in precision isn't worth the slower guessing rate. Also the grammar is imprecise enough that against really slow hashes hand written mangling rules still are the way to go. So it currently performs best against medium speed hashes.

I read your Dissertation, is very interesting. The main downside for me is that PCFG is not easily parallelizable so no GPU for it.

I also find your performance comparison unfair given that you don't take into account implementation speed (this is a very common problem in papers talking about password generation). For example if brute force is 4x faster than incremental we need to test it with 4x bigger tries, so we had the same time spent in each attack.

One thing that wake my interest is entropy calculation. One way to view this is that 10 characters passwords are only 4.8x stronger that 8 character password. Given my experience I was expecting more, or perhaps I was too used to contest hashes.

Regards, 
Alain




Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.