Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 May 2019 00:06:56 +0300
From: Aleksey Cherepanov <lyosha@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: team john-users write-up for CracktheCon contest at CypherCon 2019

Aleksey Cherepanov <lyosha@...nwall.com> writes:
> Aleksey Cherepanov <lyosha@...nwall.com> writes:
>> Duplicate character 3 times for every position, for positions 0-35:
> [...]
>> Just to demonstrate endless possibilities of rules, there is the same
>> rule for positions 0-124, i.e. up to max length (but position 124 is not
>> meaningful for duplication):
>> $ echo 123 | john --pipe --stdout 2>/dev/null \
>>   --rules=': vc0V vccV vd0c vccV vc0c vb0[0Vdc] va[0-9A-V]b >a Xa1a Xa1a'
>> 11123
>> 12223
>> 12333
>
> Minor mistake in this rule: there is 1 position overlap between internal
> packs (e.g. 0+V vs V+0), but sequential dupe suppression hides it, so
> there are no dupes during hashing.
>
> So the rule should be the following:
> --rules=': vc0V vccV vd0c vccV vc0c vb0[0Vdc] va[0-9A-U]b >a Xa1a Xa1a'
>
> The change is 'U' in 'va[0-9A-U]b'.
>
> It covers positions 0-123.

For bcrypt, max length is 72 bytes. The format truncates longer
candidates. So it may be interesting to reduce the rule. (I'll skip it
to avoid further mistakes...)

$ john --format=bcrypt --list=format-all-details
Format label                         bcrypt
[...]
Max. password length                 24 [worst case UTF-8] to 72 [ASCII]
[...]
 Truncates at max. length            yes
[...]

This truncation reflects correct real world behaviour. Shorter
bounds for truncations existed too[1].
[1] https://twitter.com/solardiz/status/1075352341287747585

Thanks!

--
Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.