Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Nov 2012 19:08:59 +0100
From: Simon Marechal <>
Subject: Re: How does incremental mode works?

On 11/19/2012 04:57 PM, Richard Miles wrote:
> - "password" is really easier and consequently with a smaller cost (217).
> - however if we are targeting real companies and not public leaks (that in
> general do not enforce password policy or enforce very poor ones) I think
> that "p4ssw0rd!" with a higher cost (420) will be more likely because of
> password policy enforcement (such as Microsoft Windows Password Policy for
> Domain Controllers) will prevent for example the use of "password" but may
> accept for example "p4ssw0rd!" or "P4ssw0rd!".
> - So, while I agree that Markov computes it in a very smart way I guess it
> may not be the best for real target. Do you think that is possible to adapt
> Markov method or create and variation to target password hashes created
> with an average or strong password policy?

You can use filters to reject words that do not match a given policy,
but this will only be acceptable for slow hashes. The original paper I
read on the topic did exactly this, but with rainbow tables.

I have stuff that is somehow related to this topic for Passwords^12, so
stay tuned !

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.