Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 May 2017 22:11:08 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Max Password Lengths

On 2017-05-17 15:38, Will Hunt wrote:
> After following your recent discussion with Rob re maximum password lengths, is there any easy way to determine the maximum character length of all supported algorithms?
> 
> I noted that using --enc:raw shows 27 for NT instead of 81, but I haven't been able to find any resources online that quickly show which algorithms are unicode based and which aren't
Latest jumbo (from github) will display length as "characters" as 
opposed to bytes. Examples:

$ ../run/john --list=format-all-details --format=nt
Format label                         NT
  Disabled in configuration file      no
Min. password length                 0
Max. password length                 27
Min. keys per crypt                  12
Max. keys per crypt                  12
Flags
  Case sensitive                      yes
  Truncates at (our) max. length      no
  Supports 8-bit characters           yes
  Converts internally to UTF-16/UCS-2 yes
  Honours --encoding=NAME             yes
  Collisions possible (as in likely)  no
  Uses a bitslice implementation      no
  The split() method unifies case     yes
  Supports very long hashes           no
  A $dynamic$ format                  no
  A dynamic sized salt                no
  Parallelized with OpenMP            no
Number of test vectors               43
Algorithm name                       MD4 128/128 AVX 4x3
Format name
Benchmark comment
Benchmark length                     -1
Binary size                          16
Salt size                            0
Tunable cost parameters
Example ciphertext                   b7e4b9022cd45f275334bbdb83bb5be5

$ ../run/john --list=format-all-details --format=office
Format label                         Office
  Disabled in configuration file      no
Min. password length                 0
Max. password length                 41 [worst case UTF-8] to 125 [ASCII]
Min. keys per crypt                  32
Max. keys per crypt                  128
Flags
  Case sensitive                      yes
  Truncates at (our) max. length      no
  Supports 8-bit characters           yes
  Converts internally to UTF-16/UCS-2 yes
  Honours --encoding=NAME             yes
  Collisions possible (as in likely)  no
  Uses a bitslice implementation      no
  The split() method unifies case     no
  Supports very long hashes           no
  A $dynamic$ format                  no
  A dynamic sized salt                no
  Parallelized with OpenMP            yes
   Poor OpenMP scalability            no
Number of test vectors               19
Algorithm name                       SHA1 128/128 AVX 4x / SHA512 
128/128 AVX 2x AES
Format name                          2007/2010/2013
Benchmark comment
Benchmark length                     -1
Binary size                          16
Salt size                            84
Tunable cost parameters              MS Office version, iteration count
Example ciphertext 
$office$*2007*20*128*16*8b2c9e8c878844fc842012273be4bea8*aa862168b80d8c45c852696a8bb499eb*a413507fabe2d87606595f987f679ff4b5b4c2cd

In the latter case, we see that worst-case UTF-8 will push down the max 
length.


> I don't know which ones require a calculation from the displayed value. Or failing that, is there a switch that allows john show the actual character length limits of all algorithms?

You can see it in the "Converts internally to UTF-16/UCS-2" lines above.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.