Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 29 May 2008 02:43:48 +0400
From: Solar Designer <>
Subject: Re: 15 characters

On Wed, May 28, 2008 at 04:50:59PM -0400, bofh wrote:
> Loaded 347 password hashes with 176 different salts (Traditional DES
> [128/128 BS SSE2])
> Doesn't look like it's split into 8-character halves?

Actually, it does.  "Traditional DES" means that it's either the
traditional crypt(3), which truncates at 8 characters, or "bigcrypt",
which splits.  You can tell which it is by looking at the hash
encodings - are all of them 13 characters long, or are some 24
characters long?  The latter ones correspond to 9-16 character long
passwords, which are split at 8 characters.

Also, notice how you have too few different salts - this indicates that
the distribution of salts is far from uniform.  You will be able to get
a much better c/s rate by focusing on salts present on multiple hashes -
try the "--salts=..." option, adjusting its parameter - start with 2,
then try higher values - the number of hashes loaded will be decreasing,
but the c/s rate will be increasing.

> So, go make one to run from 9-12 characters then :)

Definitely not.  In fact, JtR will correctly limit "incremental" mode's
MaxLen to 8 for these hashes, even if you recompile it to allow for
greater lengths (which would make sense for other hash types).


To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.