Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Aug 2015 21:09:06 +0300
From: Solar Designer <>
Subject: plaintext truncation

magnum, all -

I think that right now many JtR invocations are wasting lots of time
testing unlikely candidate passwords because of the silent truncation to
the maximum plaintext length supported by a given format, in cases where
that maximum isn't the same as the target system's.

I think we should enhance JtR to distinguish between two kinds of
truncation: that of the target system (e.g., with descrypt and LM) and
JtR-specific (e.g., with md5crypt).  In the former case, the default
behavior should be to silently truncate and test those candidate
passwords (like it's done now), whereas in the latter the default should
be to skip those candidates.  Maybe it should be possible to override
the default in the latter case - perhaps, with a config file setting (I
wouldn't expect it to be frequently needed)?

To implement this, we probably need to introduce a new format flag.
Should we call it FMT_TRUNC?  And what should it mean - target system's
truncation or JtR's truncation at a length below the target system's?
Or should we call it differently, to make this clear from the name?



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.