Date: Sat, 21 Jan 2012 19:45:04 +0400 From: Aleksey Cherepanov <aleksey.4erepanov@...il.com> To: john-users@...ts.openwall.com Subject: Re: GUI for dummy format On Thu, Jan 19, 2012 at 11:48:11AM -0500, Rich Rumble wrote: > On Thu, Jan 19, 2012 at 11:27 AM, Solar Designer <solar@...nwall.com> wrote: > > It appears that a significant number of users who want a GUI intend to > > use JtR to test security of various plaintext passwords they can think > > of - e.g., just type some password in and have JtR try to crack it. > > > > Maybe your GUI could have some input box where one would be able to type > > plaintext passwords (one per line). The passwords would then be encoded > > as $dummy$hex and JtR would be run on them in the GUI. > > > > It may be tricky to fit this in the GUI such that it's immediately > > obvious that this functionality is available, yet without cluttering > > the main screen. > > > > Then, the same GUI could also be invoking pwqcheck from passwdqc. That > > way, one would see if their desired passwords would be accepted or > > denied by passwdqc, and then see how they get cracked or not. Maybe > > pwqgen could be invoked, too. > > > > What do you think? It is a great feature. I see it as an ability to edit table with passwords: at start user see empty table for passwords and user either input password by hands or load file. Probably new column 'cracked' should be introduced to show whether this record was cracked or not. And another column to show output from pwqcheck (this is not really connected with dummy and could be useful for passwords loaded from file too) should be added. Editable table needs tips to become obvious but I am not sure that it is possible to make not annoying but useful tips. However it could be worth to try. The easiest way to use pwqcheck is to apply -1 key else Johnny should provide old password and passwd entry. While passwd entry is intended to be available (because John uses it) old password is not a "normal" thing to know, is it? So old password could be passed as empty or user could be asked to enter old password. I think Johnny should support at least variant with empty old password and may have an option to provide the old password. Should not John be able to use old password? > It's a small icon that looks like a calculator and opens another > window to have you > input the text and click OK to hash it. This email reminded me of another recent > discussion about having JtR generate hashes to Stdout (iirc). I wanted > to ask how > JtR would do this on salted hashes, would it output all possible > salts, or just some > random single salt, or a handful of salts. I don't want to mix the two > threads but I > think the question can apply here as well as it does in the other > thread. More simply > would the Dummy hash's support salts and how would they likely support them. > > Also would Dummy support the, for lack of a better definition, complex > hash types > like Kerbrose TGT (krb5), Mscache, Zip, Rar etc... When user enters password in table field Johnny would compute hash and fill 'hash' column field. In similar manner it would be possible to handle salt and hash type: user would be able to choose salt (or generate random) and to choose hash type through 'salt' and 'hash type' columns respectively. However for this time it is hard for Johnny to determine hash type or salt. I think it should not be implemented in Johnny itself: either Johnny should use some code from John or it should be able to talk to John for that information (this needs not only to extend John but also to make communication interface machine readable). What encoding does user input password in? What encoding should password be converted to before hash computation? Should this be relative to hash type chosen and/or current environment? I think it could depend on current environment as pwqcheck depends and it seems to be normal. However in the future it could be necessary to provide an ability to configure pwqcheck and to configure encoding. What do you think? Regards, Aleksey Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.