Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 09 Apr 2011 15:27:46 +0400
From: Aleksey Cherepanov <>
Subject: Re: passwords more that 8 chars long

I tried to run John with it without any success. So i wrote small script
in Perl to test expected password:

#! /usr/bin/perl
# We will use MD5 because the only hash that starts with $1 is MD5.
# Look: .
use Authen::Passphrase::MD5Crypt;

# We print original hash string and the end of line.
# We use single quotes to not substitute variables.
print '$1$Cnq2FbUw$B9s1v00aP0k16tgsWQQAc0', "\n";

# We generate new hash string with old salt and old hash.
# Just to test that we could build hash string correctly.
$ppr = Authen::Passphrase::MD5Crypt->new(
    # Salt obtained from original hash string is between the second
    #  and the third dollars.
    salt => "Cnq2FbUw",
    # Original hash
    hash_base64 => "B9s1v00aP0k16tgsWQQAc0");
# We print built hash string and the end of line.
print $ppr-> as_crypt, "\n";

# We generate hash string with salt obtained from string above and
#  with expected password.
$ppr = Authen::Passphrase::MD5Crypt->new(
    # Original salt 
    salt => "Cnq2FbUw",
    # Expected password
    passphrase => "groupsuper3");
# We print new hash string with end of line.
print $ppr-> as_crypt, "\n";

It produces following output:

The first two strings are the same. So script seems to work
properly. The third string is a hash string for 'groupsuper3' password
and it is different from other strings. So in my opinion your output
should not be groupsuper3.

Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.