```Date: Sat, 17 Nov 2012 17:37:18 +0100
From: Simon Marechal <simon@...quise.net>
To: john-users@...ts.openwall.com
Subject: Re: How does incremental mode works?

On 11/17/2012 02:14 AM, Richard Miles wrote:
> Thanks for your answer. Nice to know I'm not the only one that is unable to
> understand how it works and the difference in a high level between
> incremental and markov. :)
>
> Maybe Solar or Simon may help us?

I will answer about Markov mode. The statistics file that it uses contains :
* the probability that character c is the first character of a password
* the probability that character c_n follows c_(n-1) (the previous
character)

It doesn't actually store the raw probability, but something like:

P' = - N log(P)

That way, something very likely (P ~ 1) will have P' ~ 0, and something
highly unlikely (P ~ 0) will have a very high P'.

You compute the "markov strength" of a password by adding all those P'.
You can check this with the mkvcalcproba program. For example:

p4ssw0rd!	28+58+47+23+46+56+56+30+76   =  420

Notice how the first letter being identical, the first P' is identical
between passwords, and how unlikely transitions cost more.

The markov incremental mode with JtR, given a maximum strength, will
crack all passwords with a strength that is lower than or identical with
the given maximum. This means that -markov:200 will crack none of the
previous passwords, and -markov:250 will crack the easiest.