Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Jan 2016 10:03:57 -0500
From: Rich Rumble <>
Subject: Re: format-all-details -> Max. password length in bytes

On Mon, Jan 11, 2016 at 9:52 AM, Frank Dittrich
<> wrote:
> On 01/11/2016 02:35 PM, wrote:
>> I wonder how those limits are set: how are they implemented,
> The max. password length issue is quite complex.
> This link to an old john-dev discussion might provide some background
> information:
>> are they tunable at run time, and why 39 (arbitrary decision?) ?
> It is not really tunable by an end user.
> For some formats, a developer could look into the problem and see what
> performance impact increasing the max. password length would have.
> Salted SHA1 currently supports a max. salt size of 16 bytes:
> salted_sha1_common.h:13:#define MAX_SALT_LEN         16
> The max. password length is defined so that just a single SHA1 block needs
> to be computed per candidate:
> salted_sha1_fmt_plug.c:58:#define PLAINTEXT_LENGTH     (55-MAX_SALT_LEN)
> So, if all your hashes do have a salt length < 16 bytes, you could use a
> larger max.password length for salted-sha1 and salted-sha1-opencl by
> decreasing MAX_SALT_LEN.
> OTOH, dynamic_24 and dynamic_25 are quite similar to salted-sha1.
> One of these dynamic formats computes SHA1($p.$s), the other SHA1($s.$p).
> Both of them do have max. password length of 110 and a salt size of 64, but
> you can see that the speed of these formats is considerably slower.
> (Since the dynamic formats use hex encoding and salted-sha1 uses base64, the
> hashes would need to be converted to be used by dynamic).
>> However, I do remember that incremental is limited to 8 char. at compile
>> time. But I'm interested in the limit set for formats.
>>> $ ./john --list=format-all-details | grep "Max. password length"
>>> Max. password length in bytes        8
>>> Max. password length in bytes        64
>>> Max. password length in bytes        15
>>> Max. password length in bytes        72
>>> Max. password length in bytes        125
>>> Max. password length in bytes        7
>>> ../..
To add to what Frank said, some password lengths are limited by the
type more often than not (LM=7, DES=8) and that's why incremental was
limited by default for so long, but in 1.8 the length of incremental
was changed to 24 bytes.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.