Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2005 16:28:29 -0400
From: Jim Brown <jpb@...shooter.v6.thrupoint.net>
To: john-users@...ts.openwall.com
Subject: Secure Mode for John


Hi All,

I've used john in an enterprise environment as a strong 
password compliance tool and I've had these concerns:

1. The passwords are visibly displayed.
2. The .pot file contains password data that can be displayed
   by running john at a later time.
3. john (and a large wordlist) will run forever.

Ideally, all I want to know is if john can crack a password
for an account in X time.  If it can, the account password
is held insecure and should be changed.


Because of the above concerns, I've had to build a perl wrapper
around john that reads john output (removing the password),
continuously deletes the .pot file, and kills john after some
variable time period.

I'd be interested in hearing others thoughts on a mode for john
that addresses the concerns- i.e. a 'safe mode'.

 * No passwords would be displayed, or stored at all.  
 * Only account names would be output (with optional time-to-crack).
 * John dies after a configurable time period.


Best Regards,
Jim B.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.