Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 04 Jul 2007 08:00:23 +0200
From: "Frank Dittrich" <>
Subject: Re: Incremental mode limited to 8 character words?

Larry Bonner wrote:
>multi-core/parallel processing is one reason why a maxlength of 8 
>characters isn't sufficient today.

No, that's not a good reason. Why should it be?
A valid reason would be password algorithms and/or
system configurations which force password length > 8,
because then, john's incremental mode wouldn't be
If you have 2 processors, you could run two sessions,
one cracking from MinLenght = 1 to MaxLength = 7,
the other uses MinLenght 8 and MaxLength = 8.
If you have more cores, you could also split the hashes
grouped by salts (*after* running –single mode).

>also, on the arguement that jtr cracks passwords quicker, i never 
>understood this arg really.. what difference does it make if jtr finds a 
>password of 6 characters in length before another tool going through the 
>exact same sequence, except in different order..ok, it finds it a little 
>bit faster.

Or, it never gets there.

>at the end of the day, both crackers will/should find passwords 
>is one password "weaker"
>than another?

You are assuming you will be able to search the complete
key space in a reasonable time.
This is only true for poorly designed password hash
Even if you assume you can try one million passwords per
second (which isn't true for many of the algorithms
supported by john), you'll probably not be able to
search the complete key space.
Assume 95 different characters.
Just considering password length 8, we get
(95 ** 8), which is 6.63+e15.
At a speed of 1 million passwords per second, we need
6.63+e9 seconds, or 210 years to try the complete key
I'm sure almost any password will be of little use
after 210 years.
And if you have salted hashes, you'd have to multiply
the time by the number of different salts.

>define a weak password based on its arrangement...
>for the sequence to process with: AAA BAA CAA

Weak passwords are those an attacker can find in a
reasonable time.
All passwords with a length of 3 are weak, IMO.

If you can just try a small fraction of the key space,
the order in which you try the candidates becomes important.
What's the point of looking for weak passwords in poorly
designed hash algorithms?
Just force the admin or your vendor to implement or (re-)use
a better password hash algorithm.


Express yourself instantly with MSN Messenger! Download today it's FREE!

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.