Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Feb 2006 12:28:57 +0300
From: Solar Designer <>
Subject: Re: Incremental Alpha Quagmire

On Mon, Feb 06, 2006 at 12:43:33AM -0800, Arias Hung wrote:
> [Incremental:my]
> File = $JOHN/my.chr
> MinLen = 8
> MaxLen = 8
> CharCount = 52
> Yet when I now attempt to use this to crack the passwords:
> $ ./john -i=my passwd
> Loaded 1 password hash (Traditional DES [64/64 BS MMX])
> Warning: only 14 characters available
> I still get that warning despite adding the Charcount in the john.conf file?!

Indeed.  John has no idea what those missing 38 characters are.  You
know that you wanted to use other letters, but John doesn't.  You need
to use "Extra = ..." to list the specific characters you want added -
but they will be considered less common than those seen in your sample
passwords.  This may or may not be the case, depending on where the
passwords on the target system came from.

If you want other characters to be considered reasonably probable, you
need to add more password samples (possibly fake ones) to your john.pot.
If you do that, please don't forget that John takes character positions
into account.  So


will not be exactly the same as:


Oh, and if you're going to be restricting John to 8-character long
passwords, you really don't want it to consider all characters equally
probable.  Just do some simple math:

(52 ** 8) / 86400 / 1000000 / 2 = 309

This means that at an effective rate of 1M c/s, you will be getting
roughly one password cracked per year.

So if the target system derives passwords of this form using a
cryptographically strong random number generator, John is out of luck.

John's only hope is that the characters are in fact _not_ equally
probable - which can be the case if the RNG is not cryptographically
strong or if the passwords were chosen by human beings (subject to
restrictions, which has resulted in weird passwords like that).
Looking at the two passwords which you've provided (if they are real
ones), I suspect that the latter is the case.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.