Date: Tue, 7 Jan 2020 08:19:21 -0900 From: Royce Williams <royce@...ho.org> To: john-users@...ts.openwall.com Subject: Re: Questions regarding password mask creation On Tue, Jan 7, 2020 at 7:41 AM Solar Designer <solar@...nwall.com> wrote: > On Sat, Jan 04, 2020 at 09:35:43AM +0100, Johny Krekan wrote: > > Hello, I would like to ask > > 1. Is it possible to make mask in John which will define how many same > > characters can be used in the same password candidate? > > No. You can define an external mode filter for that. In the simplest > case, you can use the pre-existing external mode filters I posted here: > > https://www.openwall.com/lists/john-users/2019/11/13/2 > > > To make it clear:EWSA from Elcomsoft has following two options in their > > mask attack: > > Limit max number of occurences of a characters in a password where you > > can specify a number andd limit number of consecutive occurences of the > > same character in a password where you also can specify a number. > > Ah, "consecutive". The pre-existing external mode filters I referred to > above are for repeated uses of the same character in general, without > the requirement for the repeated character to be next to its previous > instance. Implementing the check like EWSA's as described above is even > easier. Why would you want to skip such candidate passwords, though? > In general, I've found that people want to skip consecutive sequences because of a mistaken but understandable chain of reasoning: 1. They're trying to crack a password whose complexity requirements forbid such consecutive sequences 2. Because those requirements are assumed to be based on cracking resistance, both the asker and the original entity imposing the requirement have a deep assumption that forbidding such sequences makes the password stronger 3. The understandable (but incorrect) assumption from #2 is that if forbidding consecutive sequences makes passwords stronger, skipping them must significantly reduce the keyspace In other words, people want to do it because it's been strongly implied all along that skipping consecutive sequences will make attacks faster. But it almost never does. (To be fair, there are other complexity requirements that really *do* matter - this just happens to not be one of them). Put another way: rather than delaying the inevitable conclusion by asking the user to explain why they want to skip consecutive sequences, it's probably better to jump straight to an abbreviated (even templated) version of the reasoning above. (Either they'll understand it right away, or else neither the reasoning summary nor the Socratic method is likely to yield enlightenment.) This won't be news to most of you, but I think it's important to point out. Royce
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.