Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 6 Sep 2021 17:39:17 +0200
From: Solar Designer <>
To: Yan Ngusu <>
Subject: Re: crack passphrase in the browsers

Hi Yan,

On Wed, Sep 01, 2021 at 04:09:30PM +0200, Yan Ngusu wrote:
> I know that when you lose your passe phrase, the best thing to do is to
> create a new account.
> But, I've some users, they didn't share some of their passwords, but they
> lost the passphrase.
> So, My questions is:
> 1. There's not another way to recover the account without creating it?

If you administer the system/service where those user accounts are
registered, then you can reset their passwords for them (provided that
you authenticate the people in some other way).

> 2. If Jhon the ripper can help to crack the password on a file, can it do
> the same for a passphrase in the browsers? If Yes, how please?

I don't know what exactly you mean by doing it "in the browsers".

If you mean the user saved their passwords in a web browser, but forgot
the master password for the browser's password storage, then a suitable
JtR "format" could be used to try and recover the master password (if
that password is weak or partially known).  See doc/README.mozilla.

If you mean probing passwords against a remote service via a web
browser, then JtR can not be used for this.  A tool that does something
like this (but not exactly) is THC Hydra (and JtR can be used to feed
candidate passwords into it), but this is generally pointless and could
cause trouble and get you in trouble.  To use a tool like this you need
authorization from whoever runs the service, but they could simply reset
the password(s) for you.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.