Date: Wed, 28 May 2008 05:15:10 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: 15 characters On Tue, May 27, 2008 at 08:28:28PM -0400, bofh wrote: > Any ideas what > > A-Z > a-z > 0-9 > !@...^*() > > would take at 10 and 12 characters? Can't you do some math on your own? Anyway, at 10M c/s, your 71 different characters at lengths up to 10 will take over 10 thousand years. Average time to get a password hash cracked by naive brute-force search may be on the order of 5-6 thousand years. This is why you just should not go for that approach for these character sets and lengths. > How difficult would that be to implement? It's trivial. Just take the DumbForce external mode from the posting I referred to and modify init() accordingly. > I'm not really looking at cracking an entire password file, I'm > more of looking at a proving a point to some business folks. You should look for a different way to prove it - not by going for exhaustive search over a certain character set and range of lengths. Perhaps there are plenty of weak passwords, despite of their length. JtR is not supposed to crack every single password in a reasonable amount of time. This is why it makes sense to detect and eliminate weak passwords. Also, you've never mentioned the hash type you're dealing with, although it is very relevant and might affect my advice. Alexander -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.