Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 3 Jan 2013 11:26:32 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-users@...ts.openwall.com
Subject: Re: Multiple formats accepting the same raw hashes

On 01/03/2013 04:52 AM, Lukas Odzioba wrote:
> 2013/1/2 Brad Tilley <rbt@....us>:
>>  1. Silently use the first hash format that matches - incorrect
>>  2. Use the first match, and also mention all the other formats that match - incorrect
>>  3. When there are multiple matching formats, JtR should stop and ask the user to specify one - correct
> I agree with 3rd, even if user is aware what he is doing, making
> stupid mistake is harder.

Yes, indeed. I am happy that Brad shared his insight. I certainly didn't
see the obvious solution for this dilemma.

To help the "lazy" users who want to be able to shoot themselves into
their feet, we could add a config variable, say:
RequireFormatForAmbiguousInput = Y

The user is then free to change the value to N. But if he does, he has
to know what he is doing.

If we refuse to process ambiguous input files when no --format option
has been specified, we should:
-use the same warning message for all formats which find at least one
valid hash
-print a warning message at the end, mentioning the
RequireFormatForAmbiguousInput config variable
-exit with a return code != 0

We would also need to decide what the default behaviour should be if
RequireFormatForAmbiguousInput is not defined or if the value is neither
Y nor N.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.