Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Dec 2018 07:51:19 -0500
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Just tell me the password's crackable, not what it is?

On Wed, Dec 12, 2018 at 7:45 AM Knight, Tom <tom.knight@....ac.uk> wrote:

> Hi all.
>
> I've looked through the FAQ, wiki and had a small search of this list and
> not seen the answer, so I need to ask. Please be patient if this sounds
> obvious or daft.
>
> I'd like to audit the passwords held on my system, but I don't want to
> know what the passwords are.
>
> Someone suggested JtR had an option to show how long it took to crack each
> password but without having the ability to store the plaintext. Just say
> "Yes, I did it, it was easy" or similar. With this information I could
> inform users there's a problem, and (basically) cover my back. There's lots
> of trust here (like I can do all the things you'd expect a sysadmin to be
> capable of), but as soon as I actually know a password I start feeling
> uncomfortable, and given people *still* reuse them I'd expect them to too...
>
> Feel free to point me to the fine manual if I've missed that bit!
>
It's not easy to find, but Securemode sounds closest to your needs found in
John.conf, turn it to Y.
# If set to Y, do not output, log or store cracked passwords verbatim.
# This implies a different default .pot database file "secure.pot" instead
# of "john.pot" but it can still be overridden using --pot=FILE.
# This also overrides other options, e.g. LogCrackedPasswords.
SecureMode = N
-rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.