Date: Wed, 12 Dec 2018 07:51:19 -0500 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Re: Just tell me the password's crackable, not what it is? On Wed, Dec 12, 2018 at 7:45 AM Knight, Tom <tom.knight@....ac.uk> wrote: > Hi all. > > I've looked through the FAQ, wiki and had a small search of this list and > not seen the answer, so I need to ask. Please be patient if this sounds > obvious or daft. > > I'd like to audit the passwords held on my system, but I don't want to > know what the passwords are. > > Someone suggested JtR had an option to show how long it took to crack each > password but without having the ability to store the plaintext. Just say > "Yes, I did it, it was easy" or similar. With this information I could > inform users there's a problem, and (basically) cover my back. There's lots > of trust here (like I can do all the things you'd expect a sysadmin to be > capable of), but as soon as I actually know a password I start feeling > uncomfortable, and given people *still* reuse them I'd expect them to too... > > Feel free to point me to the fine manual if I've missed that bit! > It's not easy to find, but Securemode sounds closest to your needs found in John.conf, turn it to Y. # If set to Y, do not output, log or store cracked passwords verbatim. # This implies a different default .pot database file "secure.pot" instead # of "john.pot" but it can still be overridden using --pot=FILE. # This also overrides other options, e.g. LogCrackedPasswords. SecureMode = N -rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.