Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 5 Feb 2010 07:54:39 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Replacement for all.chr based on "Rock You" Passwords. URL inside.

On Thu, Feb 04, 2010 at 07:34:46PM -0700, Stephen John Smoogen wrote:
> On Thu, Feb 4, 2010 at 6:50 PM, Solar Designer <solar@...nwall.com> wrote:
> > You will likely need to release some updates, though - considering my
> > input above and/or changes to JtR itself.  Speaking of the latter, I am
> > going to re-work the "incremental" mode, for the better indeed.
[...]

> Sorry about my slowness, but would this mean that all.chr and
> incremental would be useful for larger passwords versus having to hack
> and recompile (and make new .chr files) for large hashes. I had been
> looking at various MD5 hash files that were being dropped in various
> pastebin's last year and had to make various john's to try incremental
> against 10, 12, and 16 character passwords. each one of course had
> smaller number of characters that the .chr could use to test against.

Yes, I am planning to deal with the length limitation at the same time
with my other changes to this code.

> Also will the changes also allow for 7bit ASCII characters? The
> RockYou passwords have a large combination of UTF-8, ISO8900-x, ASCII
> and various other ones... when I built up previous .chr's they were of
> course ignored :). I am guessing that some supprot for multi-byte
> characters will be needed at some point as more of the world swings
> that way.

Yes, I am hoping to allow for 8-bit characters with the new incremental
mode without a recompile.

As to multi-byte characters, that's trickier.  If I try to deal with all
shortcomings of the current implementation at once, I might never come
up with a new implementation ready for release.  So I am going to
recommend the use of external filter() functions for translation to/from
multi-byte characters.  That is, you translate multi-byte (a specific
subset) to 8-bit (or even to 7-bit) when you generate a .chr file, and
you translate 8-bit to multi-byte when cracking.  I'd like to see someone
actually try that, then we can learn from the experience and see if
anything needs to be implemented in JtR itself (and what exactly).
I have no experience with multi-byte characters in passwords myself.

If there were any multi-byte characters in the passwords you used to
generate a .chr file from, then you're likely wrong in that they were
fully ignored.  It could be worse than that.  Some of the bytes of those
characters could instead have been processed as individual characters,
thereby distorting the statistics for single-byte characters.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.