Date: Tue, 7 Dec 2010 08:50:52 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: pwgen On Thu, Dec 02, 2010 at 12:24:11PM -0600, Minga Minga wrote: > The 'random' passwords for the DEFCON contest were generated by pwgen. > But I have long since lost the command line. My guess is that you used the "-s" option: -s, --secure Generate completely random, hard-to-memorize passwords. These should only be used for machine passwords, since otherwise it's almost guaranteed that users will simply write the password on a piece of paper taped to the monitor... Yesterday, I generated a .chr file from 1 million of "pwgen -s" passwords, and I started an attack on random-1000-from-pwgen.txt (NTLM-hashed) using that .chr file. It cracked 4 passwords so far: 0:04:21:37 + Cracked u0 0:10:42:05 + Cracked u561 0:14:18:03 + Cracked u223 0:17:24:04 + Cracked u151 01j1eL0Z (u0) Wi28bpuE (u561) 9YjnhqjN (u223) 6R5d5Pr5 (u151) guesses: 4 time: 0:19:31:08 c/s: 16196M trying: DNc8ErG6 - DNc8Err9 Considering the time it'd take to search the entire keyspace at this speed, this means that those passwords are in fact just as secure as they can be given the character set and length, at least against this attack. Thus, if my guess re: your use of "pwgen -s" is correct, then passwords generated in this way are safe (although passwords of this type are not safe enough when processed with a very fast hash, as it can be seen above). It's only pwgen's "pronounceable" passwords that are much weaker than they look. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.