Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 31 Jul 2012 23:56:14 -0500
From: Jeffrey Goldberg <>
Subject: Re: 1Password blog post about Dhiru's new/forthcoming  1Password module

On 2012-07-31, at 12:48 PM, "Brad Tilley" <> wrote:

>> On a related note, has anyone developed a rule set for going after
>> diceware generated passwords?
> I use word machine with the diceware word list or the most common
> wikipedia English word list

Thanks, Brad! That makes sense.

> wm --low --words words.txt | \
> wm --append 1 --chars=" " --words stdin | \
> wm --awords words.txt --words stdin | \
> wm --append 1 --chars=" " --words stdin | \
> wm --awords words.txt --words stdin | \
> wm --append 1 --chars=" " --words stdin | \
> wm --awords words.txt --words stdin | \
> john --format=nt --pipe hashes.txt


> The diceware word list is large (more than seven thousand words if I
> recall correctly).

It's 6^5 (each word is determined by five sequential roles of a die); so it is 7776 words long.

> So a four word diceware password would be difficult to
> crack

Yep. Each word adds 12.9 bits of entropy.

> It has been my experience that most corporate password complexity policies
> (outside of intelligent ones that use passwdqc) force the use of upper,
> lower, numbers, and special digits 

> The other issue I've encountered with diceware is password length
> limitations.

The situation I am thinking of is not for an authentication password, but as an encryption password or master password for a password management system. So those sorts of problems don't apply. I've been advocating the use of diceware for this and wanted to benchmark c/s.

I'm very new to actually using JtR, so responses like yours about word machine are extremely helpful.



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.