Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 Jan 2020 08:19:21 -0900
From: Royce Williams <>
Subject: Re: Questions regarding password mask creation

On Tue, Jan 7, 2020 at 7:41 AM Solar Designer <> wrote:

> On Sat, Jan 04, 2020 at 09:35:43AM +0100, Johny Krekan wrote:
> > Hello, I would like to ask
> > 1. Is it possible to make mask in John which will define how many same
> > characters can be used in the same password candidate?
> No.  You can define an external mode filter for that.  In the simplest
> case, you can use the pre-existing external mode filters I posted here:
> > To make it clear:EWSA from Elcomsoft has following two options in their
> > mask attack:
> > Limit max number of occurences of a characters in a password where you
> > can specify a number andd limit number of consecutive occurences of the
> > same character in a password where you also can specify a number.
> Ah, "consecutive".  The pre-existing external mode filters I referred to
> above are for repeated uses of the same character in general, without
> the requirement for the repeated character to be next to its previous
> instance.  Implementing the check like EWSA's as described above is even
> easier.  Why would you want to skip such candidate passwords, though?

In general, I've found that people want to skip consecutive sequences
because of a mistaken but understandable chain of reasoning:

1. They're trying to crack a password whose complexity requirements forbid
such consecutive sequences

2. Because those requirements are assumed to be based on cracking
resistance, both the asker and the original entity imposing the requirement
have a deep assumption that forbidding such sequences makes the password

3. The understandable (but incorrect) assumption from #2 is that if
forbidding consecutive sequences makes passwords stronger, skipping them
must significantly reduce the keyspace

In other words, people want to do it because it's been strongly implied all
along that skipping consecutive sequences will make attacks faster. But it
almost never does. (To be fair, there are other complexity requirements
that really *do* matter - this just happens to not be one of them).

Put another way: rather than delaying the inevitable conclusion by asking
the user to explain why they want to skip consecutive sequences, it's
probably better to jump straight to an abbreviated (even templated) version
of the reasoning above. (Either they'll understand it right away, or else
neither the reasoning summary nor the Socratic method is likely to yield

This won't be news to most of you, but I think it's important to point out.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.