Date: Mon, 15 Aug 2005 10:07:03 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: policy enforcement (was: source) Hi, My apologies for leaving this without a response for so long. Actually, it would have been nice if other list subscribers took care of that. ;-) On Thu, Jul 28, 2005 at 08:37:25AM +0000, ikbea wrote: > I would like to have the source of "John the Ripper", where can I download ? At the homepage: http://www.openwall.com/john/ Now, to the more reasonable question, which actually makes this worth a response: > Moreover, I would like to force password to obey rules: > 1. password length should be more than 8 > 2. password should have at least two characters and two uppercases letters > How to configure John the Ripper, so it can detect the password that are not > obey the rules ? [ I am assuming that the word "characters" refers to "non-letters and non-digits". ] While John the Ripper is a tool to detect weak passwords, you can't reasonably make it check for passwords which would violate a policy such as the above. In order to detect _all_ passwords which happen to violate the policy given above, John (or any other program) would have to search too large a keyspace. That would be all strings of up to 8 characters long, and in addition to that all strings (of any "reasonable" length) that don't contain uppercase letters or don't contain non-letters/digits or contain exactly one uppercase letter or contain exactly one non-letter/digit. Now, let's assume that our full character set consists of the 95 printable US-ASCII characters. There're 26 lowercase and 26 uppercase letters, 10 digits, and 33 other characters. For the sake of simplicity, let's count the number of possible 9 character long passwords that don't contain any uppercase letters: (95 - 26) ** 9 = 35452087835576229 (I am using the Fortran notation for power to disambiguate with C's meaning of the caret character.) The total number of possible passwords all of which would be disallowed under the above policy is way higher than that. Now, let's assume John can try one million of candidate passwords per second (which is quite optimistic and ignores the likely presence of salts). At such a rate, it would take John over 400,000 years to try just the 9-character no-uppercase passwords. But this does not mean that John the Ripper is unable to crack such passwords. It may crack those which are weak, -- that is, those which fall into the more commonly used parts of the keyspace (word-based, with mostly common characters or character combinations, etc.) We can make two conclusions, both of which are valid: 1. John the Ripper, or password crackers in general, are not suitable for _strict_ enforcement of password policies that are simple to express in plain English. (Exception: this may be done for Windows NT LM hashes due to their small keyspace. The same would apply to some other extremely poorly designed password hashing methods.) Rather, John the Ripper will detect passwords which _actually_ are weak (that is, those which are likely to be easily cracked in an actual attack), whether or not they satisfy a policy. In order to _strictly_ enforce a typical policy, other tools should be used. pam_passwdqc is one such tool: http://www.openwall.com/passwdqc/ If a reasonable policy is specified (or pam_passwdqc's defaults are used with no changes), this will also ensure that over 99% of permitted passwords are not easily crackable with John the Ripper and other tools. 2. The proposed policy is unreasonable. It rejects too large a fraction of the keyspace, while at the same time permitting passwords that don't contain a single lowercase letter or digit (that is, that consist exclusively of uppercase letters and non-letters/digits). While those permitted passwords aren't exactly common or weak, they are not as strong as many of the passwords _rejected_ by the policy. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.