Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 23 Aug 2012 20:26:14 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Arstechnica Password article (feat. Matt Weir)

On Tue, Aug 21, 2012 at 07:04:13PM -0400, Matt Weir wrote:
> > There are some minor inaccuracies.
> 
> Hey Solar, I'd be very interested to hear what you felt was wrong.

I'd need to re-read in order to re-spot the _minor_ inaccuracies.
One that I do recall is the statement that Mac OS X uses sha512crypt.
...Oh, I just found this place and it uses the word "includes" rather
than "uses", but I think it implies the latter (or at least that's what
the readers will think).  "Includes" might be wrong too (I don't know if
a copy of sha512crypt is found in some component of OS X or not), but
that's hair splitting.

It is great that Dan explains how Rob Graham's "exponential wall" has
little to do with reality.  However, for someone merely skimming over
the article - and that will be true for most readers - they will see the
pretty picture, but not the words that the picture is "wrong".  Besides,
that picture is for a specific hash type, which would need to be
mentioned (I think it is not).

> Dan really impressed me with his dedication to try and get everything
> right. A good example of that was his research into the origin of the
> term "Rainbow tables" where not only did he read the original Oechslin
> papers but he contacted a bunch of people and posted on Twitter as
> well. Even with all that research since he wasn't able to find an
> authoritative source he wrote: "Rainbow tables are believed to get
> their name....".

Yes, that careful choice of words is impressive.

> I guess more to the point, he had several people including me review a
> pre-release copy so some of those mistakes may be mine as well ;p
> 
> As far as JtR not being mentioned, I think that's more of a PR issue
> we have. When people talk about password cracking to the general
> public they tend to focus on Rainbow tables, GPUs, and the cloud. We
> can debate how much impact all those things have, but the simple fact
> is that's what people find interesting. While JtR has GPU support,
> Hashcat won the CMIYC competition so they deserve the recognition they
> get when it comes to mentioning a GPU cracker. If we can get better
> GPU cracking performance than Hashcat people will mention JtR instead
> ;p

Yeah, we got to implement fast hashes on GPU, even if only for PR. ;-)
The PR aspect was a significant part of my motivation behind including
"fast hashes on GPU" among GSoC projects for this year, and we'll
continue with that project after GSoC.  I am not interested in PR per
se, but I am interested in it as a tool to help make progress at other
aspects of the project (more attention to the project means more code
contributions too).

The focus (in terms of article space and pretty pictures) on rainbow
tables and fast hashes made the article misleading to people who are
just skimming, I think.  You're right, though, that the way these things
are presented - with an understanding that rainbow tables are not just
tables of precomputed hashes, etc. - is impressive, as compared to
typical articles I've seen.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.