Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 May 2017 15:08:52 +0200
From: Solar Designer <>
Subject: Re: Max characters for password candidates (NTLM) and others

On Thu, May 04, 2017 at 11:56:38PM +0200, magnum wrote:
> On 2017-05-04 23:44, Frank Dittrich wrote:
> > So, it would be possible to drop that limit (or change the limit from
> > currently 27 characters to, say, 54 characters).
> Sure. We could support any length but it'd be slower. Actually, for a 
> non-SIMD build (eg. non-Intel using OpenSSL) I think our limit is 125 
> bytes (which is the hard deck no-matter-what, set by legacy core code) 
> and that'd be just 41 characters worst case (that is, every one of them 
> take three bytes to represent in UTF-8).

So maybe we can recommend Rob to make and use a non-SIMD build of JtR
for such special cases for now?  I guess this would also help him with
"also having the same issue with Kerberos TGS hashes with known
passwords" (quoting from the GitHub issue).

I think this amounts to:

make distclean
./configure --disable-native-tests CFLAGS='-O2 -mno-sse2 -mno-mmx -U__SSE__'

Yes, that's a bit tricky, and IIRC the last -U__SSE__ is a workaround
for glibc headers.

> > But trying password candidates that are longer than 27 characters would
> > reduce the cracking speed to about half the speed of the current
> > implementation.
> Actually we could implement some kind of branching and support 
> 27/54/81/108/125 bytes, no problem. And we could re-write John's core 
> and support more than 125 bytes. But with fast hashes like NT the 
> branching would be a significant regression. It would hurt real-world 
> cracking: No-one has a password of 27 characters, let alone longer.

I think Rob actually has a real-world use case for this.  I don't know
what it is.  Maybe not for NT specifically, but for other hash types
exhibiting similar length limits now.


Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.