Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 May 2008 05:15:10 +0400
From: Solar Designer <>
Subject: Re: 15 characters

On Tue, May 27, 2008 at 08:28:28PM -0400, bofh wrote:
> Any ideas what
> A-Z
> a-z
> 0-9
> !@...^*()
> would take at 10 and 12 characters?

Can't you do some math on your own?

Anyway, at 10M c/s, your 71 different characters at lengths up to 10
will take over 10 thousand years.  Average time to get a password hash
cracked by naive brute-force search may be on the order of 5-6 thousand
years.  This is why you just should not go for that approach for these
character sets and lengths.

> How difficult would that be to implement?

It's trivial.  Just take the DumbForce external mode from the posting I
referred to and modify init() accordingly.

> I'm not really looking at cracking an entire password file, I'm
> more of looking at a proving a point to some business folks.

You should look for a different way to prove it - not by going for
exhaustive search over a certain character set and range of lengths.
Perhaps there are plenty of weak passwords, despite of their length.

JtR is not supposed to crack every single password in a reasonable
amount of time.  This is why it makes sense to detect and eliminate weak

Also, you've never mentioned the hash type you're dealing with, although
it is very relevant and might affect my advice.


To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.