Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Nov 2010 07:00:43 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: pwgen

Minga, all -

On Tue, Nov 23, 2010 at 02:20:25AM +0300, Solar Designer wrote:
> Minga - please "document" how random-1000-from-pwgen.txt was generated.

Any comments?  I am curious, and I actually need to know this before I
possibly inform more people that pwgen passwords are much weaker than
they look.

Can anyone else generate 1000 pwgen passwords and post them in here,
along with info on how it was done (pwgen version, OS, commands run)?

> Meanwhile, my John runs are up to 195 (out of 1000) passwords in 1 hour.

They're still running, and both are still the same (in terms of the
number of passwords cracked out of their different 1000-password files).
Here are some arbitrary points (these are whenever I happened to press a
key in the terminal):

guesses: 391  time: 0:20:27:48  c/s: 10216M  trying: TeydCgP9 - TeydCgOr
guesses: 471  time: 1:16:24:19  c/s: 9484M  trying: uhtNSTh8 - uhtNSTao
guesses: 552  time: 3:00:48:08  c/s: 8601M  trying: MD6SozoT - MD6SozeY
guesses: 594  time: 3:21:44:05  c/s: 8176M  trying: ExiR1EFx - ExiR1IWw
guesses: 642  time: 5:05:17:10  c/s: 7628M  trying: SX7HeTyO - SX7HeTxt

The effective c/s rate is decreasing because the number of hashes left
to crack is decreasing, so fewer combinations of {hash, password} are
tested per hash computed.

The average speed appears to be around 15M candidates per second.  At
this speed, exhaustive search of the 62-character length 8 space would
take about 168 days.  Thus, 5 days correspond to about 3% of the time
needed to exhaustively search this keyspace, yet we have cracked 64% of
passwords.  Some of the prior results are even more interesting:

Time running (D:HH:MM) - Keyspace searched - Passwords cracked
0:00:02 - 0.0008% - 6.0%
0:01:00 - 0.025% - 19.5%
0:20:28 - 0.5% - 39.1%
1:16:24 - 1.0% - 47.1%
3:00:48 - 1.8% - 55.2%
3:21:44 - 2.3% - 59.4%
5:05:17 - 3.1% - 64.2%

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.