Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Jun 2006 02:28:06 +0400
From: Solar Designer <>
Subject: Re: faster scan for blowfish on OpenBSD 3.9

On Sun, Jun 25, 2006 at 04:13:38PM +1000, atstake atstake wrote:
> I am using John 1.6.40 on OpenBSD 3.9 on a P-III 665MHz PC. My target
> is to get the password of a single user which is in OpenBSD's blowfish
> format. The password is 12 characters long and a combination of
> [A-Za-z0-9] and meta-characters.

Well, chances are that you won't get that password cracked within your
lifetime unless either you know more information about the password
(such as a part of it) or the password is in fact weak (e.g., just a
dictionary word with a digit appended to it).

> I also have a dictionary which is 50megs & john uses this as my default
> dictionary.

Since I haven't seen your wordlist, I do not know whether it is any
good.  You might have better luck letting John run the tiny password.lst
with wordlist rules first.

> guesses: 0  time: 0:01:46:53 0% (2)  c/s: 57.35  trying: belurelsen

This line indicates that John is at pass number 2 - that is, it's done
with "single crack" mode and is now running through your wordlist.  It
has completed less than 1% of the wordlist-based cracking pass.

> I ran it for about 3 hours with little luck.

That's no surprise.

> [Incremental:All]
> File=/usr/local/share/john/all.chr
> MinLen=11
> MaxLen=12
> CharCount=95
> but john is not taking the MinLen as 11.

As discussed on this mailing list before, that won't work.

> Can john crack this password if I run it for long enough

While you could set it up such that it would try all 12-character
candidate passwords eventually, it is not going to actually complete a
noticeable portion of that password space within your lifetime.

> or should I try any other method?
> Is there anything else I should try to make the crack faster?

While I could provide advice on restricting John to your known password
length and such, that is not going to be enough to get the password
cracked anyway.  You really need to know more about the password - or
you merely run John for a while to make sure that the password is not
weak and then you give up.

John is not supposed to crack all passwords.  Instead, you use it to
detect weak passwords.  It sounds like this time you've got a strong
password - and it is processed with a strong password hashing method.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.