Date: Wed, 04 Jul 2007 08:00:23 +0200 From: "Frank Dittrich" <frank_dittrich@...mail.com> To: john-users@...ts.openwall.com Subject: Re: Incremental mode limited to 8 character words? Larry Bonner wrote: >multi-core/parallel processing is one reason why a maxlength of 8 >characters isn't sufficient today. No, that's not a good reason. Why should it be? A valid reason would be password algorithms and/or system configurations which force password length > 8, because then, john's incremental mode wouldn't be useful. If you have 2 processors, you could run two sessions, one cracking from MinLenght = 1 to MaxLength = 7, the other uses MinLenght 8 and MaxLength = 8. If you have more cores, you could also split the hashes grouped by salts (*after* running –single mode). >also, on the arguement that jtr cracks passwords quicker, i never >understood this arg really.. what difference does it make if jtr finds a >password of 6 characters in length before another tool going through the >exact same sequence, except in different order..ok, it finds it a little >bit faster. Or, it never gets there. >at the end of the day, both crackers will/should find passwords anyway..how >is one password "weaker" >than another? You are assuming you will be able to search the complete key space in a reasonable time. This is only true for poorly designed password hash algorithms. Even if you assume you can try one million passwords per second (which isn't true for many of the algorithms supported by john), you'll probably not be able to search the complete key space. Assume 95 different characters. Just considering password length 8, we get (95 ** 8), which is 6.63+e15. At a speed of 1 million passwords per second, we need 6.63+e9 seconds, or 210 years to try the complete key space. I'm sure almost any password will be of little use after 210 years. And if you have salted hashes, you'd have to multiply the time by the number of different salts. >define a weak password based on its arrangement... > >for the sequence to process with: AAA BAA CAA Weak passwords are those an attacker can find in a reasonable time. All passwords with a length of 3 are weak, IMO. If you can just try a small fraction of the key space, the order in which you try the candidates becomes important. What's the point of looking for weak passwords in poorly designed hash algorithms? Just force the admin or your vendor to implement or (re-)use a better password hash algorithm. Frank _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists