Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jul 2007 00:33:46 +0100
From: "Larry Bonner" <>
Subject: Re: Incremental mode limited to 8 character words?

multi-core/parallel processing is one reason why a maxlength of 8 characters
isn't sufficient today.

also, on the arguement that jtr cracks passwords quicker, i never
understood this arg really..
what difference does it make if jtr finds a password of 6 characters in
length before
another tool going through the exact same sequence, except in different
order..ok, it finds it a little bit faster.

at the end of the day, both crackers will/should find passwords
is one password "weaker" than another?

define a weak password based on its arrangement...

for the sequence to process with:

as is done in passwords pro, you are only modifying the first byte and only
the first 4 byte "block" of input...
This has the advantage of allowing optimizations against poorly designed
algorithms used in hashing algorithms, such as MD4 used for NTLM1.

if you use the pp method when attacking ntlm1 up to 10 characters in length,
it is much faster than anything out there at the moment.

but i can't say what is best, i just have an opinion.

On 7/3/07, Frank Dittrich <> wrote:
> Tom Earp wrote:
> >i've seen that post about the 16 digit generation....but it doesn't
> really
> >help. modifying the source for that application reduces the character set
> >from the full set of printable characters to just numbers, so increasing
> >the output length keeps it within the "64 bit limit" as described in the
> >source
> >
> >from the source.......... (params.h)
> >
> >/*
> >* Charset parameters.
> >* Be careful if you change these, ((SIZE ** LENGTH) * SCALE) should fit
> >* into 64 bits.  You can reduce the SCALE if required.
> >*/
> >#define CHARSET_MIN                    ' '
> >#define CHARSET_MAX                    0x7E
> >#define CHARSET_SIZE                   (CHARSET_MAX - CHARSET_MIN + 1)
> >#define CHARSET_LENGTH                 8
> >#define CHARSET_SCALE                  0x100
> >
> CHARSET_MIN is space (0x20 = 32)
> CHARSET_MAX is the '~' character (0x7E = 126).
> (at least for ASCII)
> So you have (126 – 32 + 1) = 95 different characters.
> For max. password length 8, you have (95**8),
> ca. 6.634e+15 combinations.
> CHARSET_SCALE is 0x100 = 256.
> I didn't study the source, but since CHARSET_MAX is < 128,
> you might get away with CHARSET_SCALE=128, or 0x80.
> (If possible, I would not set  CHARSET_SCALE to a value which is
> not a power of 2, since I'd expect a performance impact otherwise.)
> 64bit means 2**64, which is about 1.845e+19.
> If you divide this value by (95**8),  you get 2780.555...
> If you divide that by 256, you'll get a value less than 11,
> meaning the 9th position of your password candidate cannot use
> all 95 different values required, and an overflow will occur.
> Even if you use 0x80 as CHARSET_SCALE, you only have 21 characters
> left for the 9th position.
> So your only choice is reducing the charset size.
> May be you don't have all the 95 characters from ' ' to '~' in your
> john.pot file.
> Set CHARSET_MIN to the min. char, e.g. ' ', and CHARSET_MAX to the
> max. character, e.g. '~'.
> Set  CHARSET_SCALE to 0x80.
> If you have not more than 80 different characters,
> you should be able to set CHARSET_LENGTH to 9.
> (80 ** 9) * 128 is about 1.172e+19, which is smaller than (2**64).
> For length 10, you can only use 51 different characters, and so on.
> When creating a new .chr file, john mentions the number of different
> characters used.
> >if i change charset_length to 16 and change nothing else, it compiles,
> but
> >then when i try to create a new .chr file i get the error "pow64of32()
> >overflow"
> >i have tried adjusting the charset_scale value to something lower, but it
> >had no effect and i still got the overflow error
> Yes, for length 16, you can probably use just 11 different
> characters.
> I don't now if you can reduce CHARSET_SCALE even more,
> a specially crafted john.pot file and an external mode.
> >if i implement an external mode in jtr, will it generate the words in a
> >simple brute-force way, or will it still do the business of creating
> better
> >combinations like it does with the incremental mode?
> It depends on the definition of your external mode, but that would be
> extremely hard to to.
> Why are you sure you need an incremental mode with password
> length > 8?
> If password length 9 is OK, you could combine the incremental mode
> (MinLength = MaxLength = 8) and an external mode which always
> appends the same character.
> (You could run one session which appends '1' to the passwords
> generated using incremental mode, another session which appends 2, ...
> Just check the frequency of last characters in your john.pot file for
> suitable candidates.
> >----- Original Message ----- From: "Frank Dittrich"
> Please don't top-post, and don't full-quote.
> (I know using hotmail doesn't produce reasonable mails either,
> but I try to avoid most of the usual problems caused by
> inappropriate MUAs, see
> OK, a mailing list is not usenet, but I think that similar "rules" apply.
> Frank
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> --
> To unsubscribe, e-mail and reply
> to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.