Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 23 Apr 2007 23:33:05 +0400
From: Solar Designer <>
Subject: Re: Alternative candidate password generator

On Fri, Apr 20, 2007 at 10:46:26AM +0200, Simon Marechal wrote:
> It was supposed to be an open question. Right now I'm toying with
> password generators based on first order markovian filters, that seems
> to work better than -inc on two accounts:
> * find more passwords in a given time (got to test some more)

What data are you using to train your generator?  Is it real passwords?
Are you then running it against hashes of the _same_ passwords?  If so,
that test does not reflect real-world usage scenarios well.  I can apply
a trivial modification to the code in inc.c that would make it provide
excellent results on hashes of the same passwords that were used to
generate the .chr files, but obviously this is not what is desired.

What about the number of non-wordlist-crackable passwords found?  It was
my assumption that other cracking modes would be used along with (and
perhaps before) "incremental" mode, so its goal is to crack as many
_additional_ passwords as possible within a reasonable time.  If the
goal were different - to crack just as many passwords as possible - then
I could have it appear more efficient on its own, but it would be of
less use in practice.

> * work could easily be distributed

Is this not the case for "incremental" mode?

> But not as good for:
> * generating candidate passwords fast (although I'm sure that a bit of
> tweaking would help here)

This is probably a limitation of your implementation only.

> * working an indefinite amount of time

That's correct.  In fact, the trivial modification to inc.c that I've
mentioned would likely result in very similar behavior.

Alexander Peslyak <solar at>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15 - bringing security into open computing environments

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.