Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 May 2018 16:43:17 +0200
From: Solar Designer <>
Subject: Re: failed to break my own created password

On Sat, May 05, 2018 at 01:55:45PM +0000, Royce Williams wrote:
> If you suspect a typo, a variety of typos can also be simulated. Here's a
> crude example of how to generate some rules for mis-key (rather than
> transposition) typos:

To do something different but similar (overstrikes and inserts) with
JtR, put the supposed password in a wordlist file and use --rules=oi.
This ruleset is already included in recent bleeding-jumbo, but in case
of using an older version here it is:

o[0-9A-Z][ -~]
i[0-9A-Z][ -~]
o[0-9A-E][ -~] Q M o[0-9A-E][ -~] Q
i[0-9A-E][ -~] i[0-9A-E][ -~]

This does one overstrike/insert up to length 36 and two up to length 14.
With a fast hash like Eric's, this is very quick.

If leetization might have been applied to the original password, then it
may also be passed through --external=Leet or the masks previously
posted in here may be used prior to applying the rules above (with a
separate invocation of JtR).

On Fri, May 04, 2018 at 10:12:21PM -0700, Eric Oyen wrote:
> unbreakable without considerably greater resources than I have here.

Based on what you tell, this is primarily about adjusting the attacks
you run and to a lesser extent about the resources you have.

> To that end, I am now considering a cluster approach using NFS as the primary filesystem and having a number of nodes all running JTR and all taking and putting data into the right files (this way, the load can be split). 

Bad idea, unless you'd do it for fun.  With just one hash to crack on
just a few systems, it'll be easier for you to run different attacks or
use the --node option on those nodes manually.  And no need for shared
storage.  You'll take the one cracked password from whatever system
cracks it.

> the man page is woefully under documented/incomplete.

Like I said, there's no official man page.  There's only Debian's.  Just
don't use it - use our documentation under doc/ instead - but then it's
probably too detailed.

> I will see if I can acquire a number of older machines

Bad idea, unless you'd do it for fun.  A factor of 10 or so difference
in speed is very unlikely to result in your password getting cracked.
In terms of improving your chances, your time is better spent on
adjusting the attacks you run.

Also, if you do want to buy extra hardware anyway, buy some recent GPUs
rather than some old machines.  And perhaps you already have some GPUs
you could use, as well.

> (something in the range of 8 to 10 years old as they are dirt cheap)

They're also slow and not worth your time, unless you'd do it for fun.


Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.