Date: Fri, 21 Feb 2014 00:46:05 +0100 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: Secure Mode for John On 2014-02-21 00:25, Mark Butler wrote: >> Date: Tue, 21 Jun 2005 16:28:29 -0400 >> From: Jim Brown <jpb@...shooter.v6.thrupoint.net> >> >> I've used john in an enterprise environment as a strong >> password compliance tool and I've had these concerns: >> >> 1. The passwords are visibly displayed. >> 2. The .pot file contains password data that can be displayed >> by running john at a later time. > > I would like to revisit the above. Ideally I would like a setting in > john.conf to be able to turn on Secure Mode for john. I would envisage that > when it is set, instead of john passing back the clear text password, it > would pass back attributes of the password instead. Things like length, > mode john is running in (Single crack [S], Wordlist [W], Incremental [I], > External [E]) and the rule matched in that mode. eg: L8-W-R13 for a > password 8 characters in length, cracked in Wordlist mode using rule 13. > Hopefully all this information is available to john at the time the > password is cracked. Cool idea. We'd have the problem due to parallel buffering that the "current" rule might be ahead of what rule actually created the candidate that cracked a hash. We could give a rougher indication for those cases, eg. L8-W-R<=13 for your example, or L8-W-R=13 when certain. > The flow on effect would be the .pot file would include the encrypted > password with password attributes instead of the clear text password. This might be fairly trivial. I'll put it on our to-do list. > The advantages for me would be since no actual passwords are being stored > or transmitted by john in this Secure Mode, then it would open the > possibility to be able to run it in less secure environments, eg home. Personally I would regard even bare hashes just as sensitive, I would not recommend taking them "home". But it's still a good idea. magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.