Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 May 2011 10:09:57 -0400
From: Rich Rumble <>
Subject: Re: Supercharged John the Ripper Techniques by Rick
 Redman of KoreLogic

On Thu, May 5, 2011 at 4:07 PM, minga <> wrote:
> Fyi.
> Rick = Minga = CrackMeIfYouCan = Me.
> That is my presentation for people "new" to password cracking and not really
> john experts. I had to remove LOTS of john-specific information from there
> because I never got in front of an actual group of john-users. i.e. markov,
> ETC.
> The URL to that site is private. But sites like that do exist - and are
> actively being used to compromise stolen passwords. That was the point of that
> slide. i.e. no one is safe .. blah blah blah.
> Also - that PDF was made to be geared toward members of OWASP - so there are
> multiple references to web development/web passwords/etc.
> -Minga

M$'s password complexity requirements, which I don't think are applied
by default, and
only apply to domain accounts (but can be applied to against local
accounts) have
the following requirements:
Passwords must contain characters from three of the following five categories:
1  Uppercase characters of European languages (A through Z, with
diacritic marks, Greek and Cyrillic characters)
2  Lowercase characters of European languages (a through z, sharp-s,
with diacritic marks, Greek and Cyrillic characters)
3  Base 10 digits (0 through 9)
4  Nonalphanumeric characters: ~!@...^&*_-+=`|\(){}[]:;"'<>,.?/
5  Any Unicode character that is categorized as an alphabetic
character but is not uppercase or lowercase. This includes Unicode
characters from Asian languages.

These are applied to every AD install I've audited for the past few
years. I was looking
through John.conf and noticed the "External:Policy" (as well as a few
others) mode.
I see this is a recent addition, and one I plan on testing right now,
I'd like to make
changes and additions to cover the various possible combinations, of
which there are
many... with 3 of the 5 being the minimum, a password could contain 4
or all 5 of
the various requirements.
The 5th (unicode) doesn't occur much in my experience, so maybe I'll
focus on the
other 4 that I do see.
8 chars is the minimum I've seen for an AD password in recent years
this is getting
longer and longer, and the LM hash is fading from storage as well.
I'll just poke around
and mess things up for a bit, then cry for help here later :)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.