Date: Tue, 31 Jul 2012 23:56:14 -0500 From: Jeffrey Goldberg <jeffrey@...dmark.org> To: john-users@...ts.openwall.com Subject: Re: 1Password blog post about Dhiru's new/forthcoming 1Password module On 2012-07-31, at 12:48 PM, "Brad Tilley" <brad@...ystems.com> wrote: >> On a related note, has anyone developed a rule set for going after >> diceware generated passwords? > > I use word machine with the diceware word list or the most common > wikipedia English word list Thanks, Brad! That makes sense. > wm --low --words words.txt | \ > wm --append 1 --chars=" " --words stdin | \ > wm --awords words.txt --words stdin | \ > wm --append 1 --chars=" " --words stdin | \ > wm --awords words.txt --words stdin | \ > wm --append 1 --chars=" " --words stdin | \ > wm --awords words.txt --words stdin | \ > john --format=nt --pipe hashes.txt Thanks! > The diceware word list is large (more than seven thousand words if I > recall correctly). It's 6^5 (each word is determined by five sequential roles of a die); so it is 7776 words long. > So a four word diceware password would be difficult to > crack Yep. Each word adds 12.9 bits of entropy. > It has been my experience that most corporate password complexity policies > (outside of intelligent ones that use passwdqc) force the use of upper, > lower, numbers, and special digits > The other issue I've encountered with diceware is password length > limitations. The situation I am thinking of is not for an authentication password, but as an encryption password or master password for a password management system. So those sorts of problems don't apply. I've been advocating the use of diceware for this and wanted to benchmark c/s. I'm very new to actually using JtR, so responses like yours about word machine are extremely helpful. Cheers, -j
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.