Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Aug 2018 19:06:22 +0200
From: Solar Designer <>
Subject: Re: Cracking Long Passwords


On Fri, Aug 31, 2018 at 03:43:07PM +0000, NeonFlash wrote:
> Is there a way to know the restriction on password length for dictionary attacks supported by JtR?
> For example, if an archive (zip/rar) file has a password of length greater than 50, can JtR successfully crack it in dictionary attack mode if the correct password is present inside the dictionary?

You can use these commands:

./john --list=format-all-details --format=rar
./john --list=format-all-details --format=rar5
./john --list=format-all-details --format=pkzip
./john --list=format-all-details --format=zip

In my recent build of bleeding-jumbo, the output for RAR (which means
RAR3) includes:

Max. password length                 26

for RAR5:

Max. password length                 10 [worst case UTF-8] to 32 [ASCII]

for PKZIP:

Max. password length                 10 [worst case UTF-8] to 31 [ASCII]

and for ZIP (which means WinZip):

Max. password length                 41 [worst case UTF-8] to 125 [ASCII]

So length 50 in particular will likely work for ZIP aka WinZip, but not
for the rest of these.

For all of these we also get:

 Truncates at max. length            no

which means that unfortunately the limitation is ours rather than
inherent to the target file format.


P.S. You could want to avoid posting to mailing lists from Yahoo
addresses since your messages probably do not get through to some
subscribers (such as those on Google's mail servers, including everyone
on Gmail and more) due to Yahoo's strict DMARC policy:

$ host -t txt descriptive text "v=DMARC1\; p=reject\; pct=100\;\;"

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.