Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 15 Mar 2021 21:02:19 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: password patterns (was: Multi-gpu setup)

On Sun, Mar 14, 2021 at 04:55:55PM +0100, Micha?? Majchrowicz wrote:
> Ok no problem, I will keep the node value below 100. I have thought
> how to perform this test and I think best would be to use set of 6
> hashes. From those 4 we already know can benefit from passwords
> patterns as that's how they were cracked. Other 2 we don't know what
> they are but we already know what they are not and potentially they
> should follow some pattern anyways (if not completely random, but
> doubt that).

I'd recommend testing on many more hashes, but I don't know if you can
obtain many more matching your criteria (from IoT devices?)

> I have noted what tests I have already performed so I
> know more or less how long it took to crack them (I can do more
> precise calculations on later by simply replaying same sessions)
> therefore I think running incremental mode for a week should be enough
> to test those assertions. By the way incremental mode also supports
> sessions? Ergo I could resume in case of power shortage or something
> else keeping node and other settings? Probably pointless question but
> wanted to make sure there isn't any bug related to session and
> incremental mode? :)

All modes support session restore.  No known bugs for incremental mode.

> In the future I will have generate a set of
> passwords following different passwords patterns and check how
> incremental mode handles those in comparison to "manual way" :) For

Incremental mode follows patterns seen in the passwords it was trained
on.  The supplied .chr files were trained on RockYou.  If your patterns
are similar, they should work well.  If your patterns are very
different, you'll need to re-train on those for it to work well.

> that i will book time on more modern hardware to speed the test up but
> for now I think for now this test will me rough idea on how those two
> compare. I think I didn't miss anything important planning this test.
> However if you have any suggestions on how to do this run, please let
> me know.

I suggest you don't "book time on more modern hardware to speed the test
up", but instead use a faster and unsalted hash type, then scale your
attack duration to your target scenario by the observed p/s figures.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.