Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Jun 2009 11:22:35 +0300
From: "Antonios F. Atlasis" <>
Subject: Re: cracking MD5 hashes more than 8 characters long
 with a dictionary

Dear Alexander,

thanks a lot for your very quick response!

checking (counting) the precise length of these passwords, this is 
exactly 16 characters. Hence, I suppose this is due to the limitation 
that you mentioned concerning the MD5, right? A limitation that 
obviously does not exist in Blowfish implementation, I guess. 
Is there any work-around on this?
Thanks again

Solar Designer wrote:
> On Sat, Jun 13, 2009 at 09:57:35AM +0300, Antonios F. Atlasis wrote:
>> I tried to use John 1.7.3-1 Pro against a shadow file with MD5 (FreeBSD) 
>> hashes. This shadow contains some hashes that are longer than 
>> 8-characters. I create a custom wordlist, that contains the actual 
>> passwords included in this shadow.  When I try to crack this shadow 
>> using this custom wordlist, it cracks the passwords whose length is 8 
>> characters or less, but not the ones whose length is more than 8 
>> characters (although I feed the wordlist with the correct passwords)
> That's weird.  Those passwords should be getting cracked, assuming that
> they're not longer than 15 characters (a limitation of the current
> implementation of MD5-based crypt hashes in JtR).
> I suggest that you post a sample line from your shadow file and the
> corresponding plaintext password (the way you set it).  Obviously, reset
> the password on the real account before you post this info.
>> Using exactly the same passwords and wordlist against a Blowfish shadow, 
>> John successfully cracks all the passwords, even the ones whose length 
>> is more than 8-characters.
> Indeed, and this should be working for the MD5-based hashes too.
>> I tried to change maxlength of john.conf to 16, but this didn't hep me.
> The MaxLen setting is for "incremental" mode only, not wordlist.
> Alexander

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.