Date: Mon, 26 Jun 2006 02:28:06 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: faster scan for blowfish on OpenBSD 3.9 On Sun, Jun 25, 2006 at 04:13:38PM +1000, atstake atstake wrote: > I am using John 1.6.40 on OpenBSD 3.9 on a P-III 665MHz PC. My target > is to get the password of a single user which is in OpenBSD's blowfish > format. The password is 12 characters long and a combination of > [A-Za-z0-9] and meta-characters. Well, chances are that you won't get that password cracked within your lifetime unless either you know more information about the password (such as a part of it) or the password is in fact weak (e.g., just a dictionary word with a digit appended to it). > I also have a dictionary which is 50megs & john uses this as my default > dictionary. Since I haven't seen your wordlist, I do not know whether it is any good. You might have better luck letting John run the tiny password.lst with wordlist rules first. > guesses: 0 time: 0:01:46:53 0% (2) c/s: 57.35 trying: belurelsen This line indicates that John is at pass number 2 - that is, it's done with "single crack" mode and is now running through your wordlist. It has completed less than 1% of the wordlist-based cracking pass. > I ran it for about 3 hours with little luck. That's no surprise. > [Incremental:All] > File=/usr/local/share/john/all.chr > MinLen=11 > MaxLen=12 > CharCount=95 > > but john is not taking the MinLen as 11. As discussed on this mailing list before, that won't work. > Can john crack this password if I run it for long enough While you could set it up such that it would try all 12-character candidate passwords eventually, it is not going to actually complete a noticeable portion of that password space within your lifetime. > or should I try any other method? [...] > Is there anything else I should try to make the crack faster? While I could provide advice on restricting John to your known password length and such, that is not going to be enough to get the password cracked anyway. You really need to know more about the password - or you merely run John for a while to make sure that the password is not weak and then you give up. John is not supposed to crack all passwords. Instead, you use it to detect weak passwords. It sounds like this time you've got a strong password - and it is processed with a strong password hashing method. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.