Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Jan 2012 19:45:04 +0400
From: Aleksey Cherepanov <>
Subject: Re: GUI for dummy format

On Thu, Jan 19, 2012 at 11:48:11AM -0500, Rich Rumble wrote:
> On Thu, Jan 19, 2012 at 11:27 AM, Solar Designer <> wrote:
> > It appears that a significant number of users who want a GUI intend to
> > use JtR to test security of various plaintext passwords they can think
> > of - e.g., just type some password in and have JtR try to crack it.
> >
> > Maybe your GUI could have some input box where one would be able to type
> > plaintext passwords (one per line).  The passwords would then be encoded
> > as $dummy$hex and JtR would be run on them in the GUI.
> >
> > It may be tricky to fit this in the GUI such that it's immediately
> > obvious that this functionality is available, yet without cluttering
> > the main screen.
> >
> > Then, the same GUI could also be invoking pwqcheck from passwdqc.  That
> > way, one would see if their desired passwords would be accepted or
> > denied by passwdqc, and then see how they get cracked or not.  Maybe
> > pwqgen could be invoked, too.
> >
> > What do you think?

It is a great feature. I see it as an ability to edit table with
passwords: at start user see empty table for passwords and user either
input password by hands or load file. Probably new column 'cracked'
should be introduced to show whether this record was cracked or not.
And another column to show output from pwqcheck (this is not really
connected with dummy and could be useful for passwords loaded from
file too) should be added.

Editable table needs tips to become obvious but I am not sure that it
is possible to make not annoying but useful tips. However it could be
worth to try.

The easiest way to use pwqcheck is to apply -1 key else Johnny should
provide old password and passwd entry. While passwd entry is intended
to be available (because John uses it) old password is not a "normal"
thing to know, is it? So old password could be passed as empty or user
could be asked to enter old password. I think Johnny should support at
least variant with empty old password and may have an option to
provide the old password. Should not John be able to use old password?

> It's a small icon that looks like a calculator and opens another
> window to have you
> input the text and click OK to hash it. This email reminded me of another recent
> discussion about having JtR generate hashes to Stdout (iirc). I wanted
> to ask how
> JtR would do this on salted hashes, would it output all possible
> salts, or just some
> random single salt, or a handful of salts. I don't want to mix the two
> threads but I
> think the question can apply here as well as it does in the other
> thread. More simply
> would the Dummy hash's support salts and how would they likely support them.
> Also would Dummy support the, for lack of a better definition, complex
> hash types
> like Kerbrose TGT (krb5), Mscache, Zip, Rar etc...

When user enters password in table field Johnny would compute hash and
fill 'hash' column field. In similar manner it would be possible to
handle salt and hash type: user would be able to choose salt (or
generate random) and to choose hash type through 'salt' and 'hash
type' columns respectively. However for this time it is hard for
Johnny to determine hash type or salt. I think it should not be
implemented in Johnny itself: either Johnny should use some code from
John or it should be able to talk to John for that information (this
needs not only to extend John but also to make communication interface
machine readable).

What encoding does user input password in? What encoding should
password be converted to before hash computation? Should this be
relative to hash type chosen and/or current environment? I think it
could depend on current environment as pwqcheck depends and it seems
to be normal. However in the future it could be necessary to provide
an ability to configure pwqcheck and to configure encoding.

What do you think?

Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.