Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Sep 2019 07:55:04 -0400
From: David Coleman <>
Subject: Re: Rules for Known Password Structure

Thanks for the info.  I was afraid that was the case.

> On Sep 21, 2019, at 7:19 AM, Solar Designer <> wrote:
>> On Fri, Sep 20, 2019 at 08:54:37PM +0000, Dave Coleman wrote:
>> I have the following known passwords:
>> ss15-vyp1wh1k1qeh82sm20-4d44qfek1zjnvsm26-hp3iibat127n6sm27-n6fqycthh3mcd
> A password like this is way too long to crack even if you target its
> specific pattern.  You're out of luck cracking anything like this unless
> you have additional information or there's a vulnerability in the
> password generator program, which you'd then need to have someone
> research and exploit for you.
>> I would like to create a rule for these known passwords to find an unknown password, but don't know where to start.
>> I saw a prior post with these commmands:    const std::string one    = "Ll";
>>    const std::string two    = "o0";
>>    const std::string three    = all;
>>    const std::string four    = all;
>>    const std::string five    = "-_";
>>    const std::string six    = all;
>>    const std::string seven    = all;
>>    const std::string eight    = "nN";However, I'm not sure where to edit/insert/create this text, or if this even proper syntax.
>> Can someone point me in the right direction?
> What you found isn't a syntax you should use.  Please disregard that
> "prior post" you found, it would merely continue to confuse you.
> If you had a chance of cracking that password (which you almost
> certainly don't), then you'd use "mask mode" for this, and the syntax
> would be something like:
>> My thoughts for this rule:-18 characters total-lowercase s for the first character-lowercase s or m for the second character-numeric characters for characters 4 and 5-a '-' for character 5-lowercase letters and numbers for the remaining characters
> ./john -2='?d?l' --mask='s[sm]?d?d-?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2-?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2-?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2-?2?2?2?2?2?2?2?2?2?2?2?2?2' hash.txt
> You do not need to edit john.conf, nor any other file.
> But your chances of actually cracking a password with this are
> practically non-existent, so there's no point even trying.
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.