Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 31 Jul 2012 13:48:25 -0400 (EDT)
From: "Brad Tilley" <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Re: 1Password blog post about Dhiru's new/forthcoming 
     1Password module

Hi Jeffrey,

> On a related note, has anyone developed a rule set for going after
> diceware generated passwords?

I use word machine with the diceware word list or the most common
wikipedia English word list
(http://en.wikipedia.org/wiki/Most_common_words_in_English) and feed those
to John via stdin or pipe. However, I'm sure someone could write a JtR
rule or maybe has already done so. Here's an example using word machine to
crack four word passwords:

wm --low --words words.txt | \
wm --append 1 --chars=" " --words stdin | \
wm --awords words.txt --words stdin | \
wm --append 1 --chars=" " --words stdin | \
wm --awords words.txt --words stdin | \
wm --append 1 --chars=" " --words stdin | \
wm --awords words.txt --words stdin | \
john --format=nt --pipe hashes.txt

The diceware word list is large (more than seven thousand words if I
recall correctly). So a four word diceware password would be difficult to
crack when stored using any decent (bcrypt, sha512crypt, etc) password
hash:

7,000 ^ 4 = 2,401,000,000,000,000 possibilities

That's just the words alone. It does not account for individual character
case changes or other word manipulation a user may do.

It has been my experience that most corporate password complexity policies
(outside of intelligent ones that use passwdqc) force the use of upper,
lower, numbers, and special digits (no matter the password length) so the
words on the diceware list would need to be altered to make diceware
passwords acceptable to these complexity policies.

The other issue I've encountered with diceware is password length
limitations. In addition to requiring at least 3 of 4 character classes,
many systems also limit the password length for backward compatibility
reasons. Any password more than eight or ten characters long, etc. will
not be accepted. This makes it impossible to use most diceware passwords
on those systems.

Perhaps some day there will be an ISO standard that all authentication
systems must follow when accepting passwords. One can dream at least!

Hope this helps,

Brad




Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.