Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 May 2019 00:06:56 +0300
From: Aleksey Cherepanov <>
Subject: Re: team john-users write-up for CracktheCon contest at CypherCon 2019

Aleksey Cherepanov <> writes:
> Aleksey Cherepanov <> writes:
>> Duplicate character 3 times for every position, for positions 0-35:
> [...]
>> Just to demonstrate endless possibilities of rules, there is the same
>> rule for positions 0-124, i.e. up to max length (but position 124 is not
>> meaningful for duplication):
>> $ echo 123 | john --pipe --stdout 2>/dev/null \
>>   --rules=': vc0V vccV vd0c vccV vc0c vb0[0Vdc] va[0-9A-V]b >a Xa1a Xa1a'
>> 11123
>> 12223
>> 12333
> Minor mistake in this rule: there is 1 position overlap between internal
> packs (e.g. 0+V vs V+0), but sequential dupe suppression hides it, so
> there are no dupes during hashing.
> So the rule should be the following:
> --rules=': vc0V vccV vd0c vccV vc0c vb0[0Vdc] va[0-9A-U]b >a Xa1a Xa1a'
> The change is 'U' in 'va[0-9A-U]b'.
> It covers positions 0-123.

For bcrypt, max length is 72 bytes. The format truncates longer
candidates. So it may be interesting to reduce the rule. (I'll skip it
to avoid further mistakes...)

$ john --format=bcrypt --list=format-all-details
Format label                         bcrypt
Max. password length                 24 [worst case UTF-8] to 72 [ASCII]
 Truncates at max. length            yes

This truncation reflects correct real world behaviour. Shorter
bounds for truncations existed too[1].


Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.