Date: Tue, 31 Jul 2012 13:48:25 -0400 (EDT) From: "Brad Tilley" <brad@...ystems.com> To: john-users@...ts.openwall.com Subject: Re: 1Password blog post about Dhiru's new/forthcoming 1Password module Hi Jeffrey, > On a related note, has anyone developed a rule set for going after > diceware generated passwords? I use word machine with the diceware word list or the most common wikipedia English word list (http://en.wikipedia.org/wiki/Most_common_words_in_English) and feed those to John via stdin or pipe. However, I'm sure someone could write a JtR rule or maybe has already done so. Here's an example using word machine to crack four word passwords: wm --low --words words.txt | \ wm --append 1 --chars=" " --words stdin | \ wm --awords words.txt --words stdin | \ wm --append 1 --chars=" " --words stdin | \ wm --awords words.txt --words stdin | \ wm --append 1 --chars=" " --words stdin | \ wm --awords words.txt --words stdin | \ john --format=nt --pipe hashes.txt The diceware word list is large (more than seven thousand words if I recall correctly). So a four word diceware password would be difficult to crack when stored using any decent (bcrypt, sha512crypt, etc) password hash: 7,000 ^ 4 = 2,401,000,000,000,000 possibilities That's just the words alone. It does not account for individual character case changes or other word manipulation a user may do. It has been my experience that most corporate password complexity policies (outside of intelligent ones that use passwdqc) force the use of upper, lower, numbers, and special digits (no matter the password length) so the words on the diceware list would need to be altered to make diceware passwords acceptable to these complexity policies. The other issue I've encountered with diceware is password length limitations. In addition to requiring at least 3 of 4 character classes, many systems also limit the password length for backward compatibility reasons. Any password more than eight or ten characters long, etc. will not be accepted. This makes it impossible to use most diceware passwords on those systems. Perhaps some day there will be an ISO standard that all authentication systems must follow when accepting passwords. One can dream at least! Hope this helps, Brad
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.