Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 7 Jan 2020 17:41:05 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Questions regarding password mask creation

Hi,

On Sat, Jan 04, 2020 at 09:35:43AM +0100, Johny Krekan wrote:
> Hello, I would like to ask
> 1. Is it possible to make mask in John which will define how many same 
> characters can be used in the same password candidate?

No.  You can define an external mode filter for that.  In the simplest
case, you can use the pre-existing external mode filters I posted here:

https://www.openwall.com/lists/john-users/2019/11/13/2

> To make it clear:EWSA from Elcomsoft has following two options in their 
> mask attack:
> Limit max number of occurences of a characters in a password where you 
> can specify a number andd limit number of consecutive occurences of the 
> same character in a password where you also can specify a number.

Ah, "consecutive".  The pre-existing external mode filters I referred to
above are for repeated uses of the same character in general, without
the requirement for the repeated character to be next to its previous
instance.  Implementing the check like EWSA's as described above is even
easier.  Why would you want to skip such candidate passwords, though?

> 2. How can I compute total number of passwords when for example i will 
> try 6 character long passwords composed of small latin letters (in 
> normal situation 26^6) but I will force those skipping parameters and I 
> will set the number of consecutive occurences to 2 and limit use of same 
> character in password to 2 as well.

We can come up with formulas for that, but for practical purposes if
you're going to use this for WPA-PSK and intend to run an attack to
completion, for a realistic attack you can quickly generate and count
the candidate passwords e.g. with:

./john --mask='?l?l?l?l?l?l' --external=Filter_NoRepeats --stdout | wc -l

However, length 6 is too short for WPA-PSK.  So what is your use case?

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.