Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 15 Oct 2018 21:44:16 -0700
From: Eric Oyen <eric.oyen@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Beat JTR to the punch! :)

Alexander,
Well, I say my Mac mini isn’t exactly up to snuff here. It’s only capable of just under 1k hashes per second. :( so, even when properly focused, it would have taken rather some time (considerably less than the 13 million years called for in the time estimate) but still….

And yes, I will keep that mask on hand for future reference. :)

-Eric


> On Oct 15, 2018, at 9:19 AM, Solar Designer <solar@...nwall.com> wrote:
> 
> Hi Eric,
> 
> I'm happy to hear you managed to recall that password.  For others
> reading this, it was previously discussed in these threads:
> 
> https://www.openwall.com/lists/john-users/2018/05/01/3
> https://www.openwall.com/lists/john-users/2018/05/03/4
> 
> On Mon, Oct 15, 2018 at 08:21:07AM -0700, Eric Oyen wrote:
>> It was 13 characters. In fact, this was the user account password on my Mac: H4mr4d!0NLZZ7
> 
> Well, this doesn't exactly match the pattern you recalled before, but
> it's very close.  The first mask I suggested in the May 3 posting was:
> 
> --mask='[Hh][aA4][mM]r[aA4][dD][iI!][oO0][nNzZ][7L][nNzZ][nNzZ][tT]'
> 
> It misses your password because it only tries "t" and "T" for the last
> character, not "7".  Adding "7" in there hits your password instantly:
> 
> $ ./john --mask='[Hh][aA4][mM]r[aA4][dD][iI!][oO0][nNzZ][7L][nNzZ][nNzZ][tT7]' --stdout | fgrep -n 'H4mr4d!0NLZZ7'
> Press 'q' or Ctrl-C to abort, almost any other key for status
> 247493:H4mr4d!0NLZZ7
> 248832p 0:00:00:00 100.00% (2018-10-15 19:05) 3554Kp/s h4Mr4D!0ZLZZ7
> 
> And so does this two-step approach with the originally posted mask:
> 
> $ ./john --mask='[Hh][aA4][mM]r[aA4][dD][iI!][oO0][nNzZ][7L][nNzZ][nNzZ][tT]' --stdout > w
> Press 'q' or Ctrl-C to abort, almost any other key for status
> 165888p 0:00:00:00 100.00% (2018-10-15 19:06) 2073Kp/s h4Mr4D!0ZLZZT
> 
> $ ./john -w=w --external=leet --stdout | fgrep -n 'H4mr4d!0NLZZ7'
> Press 'q' or Ctrl-C to abort, almost any other key for status
> 919103:H4mr4d!0NLZZ7
> 919318:H4mr4d!0NLZZ7
> 919970:H4mr4d!0NLZZ7
> 920039:H4mr4d!0NLZZ7
> 922087:H4mr4d!0NLZZ7
> 922158:H4mr4d!0NLZZ7
> 922362:H4mr4d!0NLZZ7
> 922383:H4mr4d!0NLZZ7
> 924617:H4mr4d!0NLZZ7
> 924724:H4mr4d!0NLZZ7
> 925040:H4mr4d!0NLZZ7
> 925073:H4mr4d!0NLZZ7
> 926037:H4mr4d!0NLZZ7
> 926072:H4mr4d!0NLZZ7
> 926164:H4mr4d!0NLZZ7
> 926173:H4mr4d!0NLZZ7
> 1370112p 0:00:00:00 100.00% (2018-10-15 19:09) 1670Kp/s h@...D!0ZLZZT
> 
> This also hits your password promptly, albeit not instantly:
> 
> $ ./john -w=w --rules=oi --stdout | fgrep -n 'H4mr4d!0NLZZ7'
> Press 'q' or Ctrl-C to abort, almost any other key for status
> 185129669:H4mr4d!0NLZZ7
> 185212613:H4mr4d!0NLZZ7
> 260223068p 0:00:00:19 0.04% (ETA: 08:24:07) 13420Kp/s haMrAdI0z7NNt
> Session aborted
> 
> As you can see, some of these approaches produce duplicates.  When
> attacking a slow hash we'd try to avoid that e.g. by using JtR's
> "unique" program, but for a fast hash this is fine.
> 
>> SO, this proves a couple of things:
>> 1. I need a good password cracking machine to do this on (A Mac mini is nowhere near sufficient enough)
> 
> No, this doesn't prove that.  If anything, it proves that it's very
> important to focus the attacks, but not focus them too much.
> 
>> 2. I still have a good memory, even if it takes me 3 or more months to recover 1 item of data buried in the mass of near total recall that I have.
> 
> Sure.
> 
>> So, what do you guys think of the level of complexity of the given password?
> 
> As always, what level of complexity is appropriate varies by use case
> and threat model, and whether/how password complexity affects cracking
> depends on what information the attacker has.
> 
> Alexander


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.