Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 17 Mar 2023 12:58:41 +0100
From: Albert Veli <albert.veli@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Looking for input

KeePassXC should generate good quality passwords. Was it the password
generator or the passphrase generator? I guess pass phrases might be
possible to crack depending on how many words the phrase is based on. But
over 20 random characters, that is impossible no matter which software you
use. The only way you could recover this is if you can extract
the passwords from keepass. See
https://www.cvedetails.com/cve/CVE-2023-24055/

//Albert

On Wed, Mar 15, 2023 at 10:11 AM Nate Widmyer <touring_fan@....com> wrote:

> Hello Lukas,
>
> I think I understand what you mean -- to find if there are vulnerabilities
> to the password generator, ways in which it may be predictable.
>
> I see in the code now that there are modes to use, like exclude lookalike
> characters.
> I'll look into the code more to see if I can find more, and how my use of
> the app might have configured the generator.
>
> Thanks,
> Nate
>
> ________________________________
> From: Lukas Odzioba <lukas.odzioba@...il.com>
> Sent: Tuesday, March 14, 2023 7:52 PM
> To: john-users@...ts.openwall.com <john-users@...ts.openwall.com>
> Subject: Re: [john-users] Looking for input
>
> Hi Nate,
> I am affraid that the main obstacle for recovering password is simply the
> search space. a-zA-Z0-9 gives us 62 posibilities for each position, 62 to
> the power of 20 assuming no other heuristics to limit the search space is
> huge number and it is close to imposible to recover it. Length limit of the
> JtR in this format is not the main problem to solve here. What could
> potentially help os would be broken password generator used to create the
> password, but it is just another way of saying that you need to limit the
> search space to even have a chance.
> Thanks,
> Lukas
>
> wt., 14 mar 2023, 23:44 użytkownik Nate Widmyer <touring_fan@....com>
> napisał:
>
> > Hello,
> >
> > I'm trying to recover a password to three 7-zip archives that I made,
> > which I created all in the same way, using 7zip with SHA-256 encryption.
> > I got JTR running to the point where JTR starts and begins processing,
> but
> > it's going to take forever to try everything, but since I encrypted it, I
> > know what the parameters that were used to generate the passwords to
> narrow
> > down the search size.
> >
> > * password was definitely between 20 - 30 characters. I know standard JTR
> > builds use 24 chars as compiled limit, so this means a custom build,
> which
> > I may be able to manage after creating a development environment, which
> > takes time. I'd probably like to split the password input into 4 runs (in
> > decreasing order of probability of use): 22-25 chars, 20 and 21 chars, 26
> > chars, 27-30 chars.
> > * password was generated via KeePassXC password generation, with A-Z,
> a-z,
> > 0-9 and specials character classes, but no extended ASCII. I believe JTR
> > only deals in ASCII anyway. That means no dictionary attacks needed, just
> > lots of random chars.
> >
> > I figure I need:
> > 1. a build of JTR that can support 30 chars. I know getting it to run on
> a
> > GPU is preferable.
> > 2. maybe do it in AWS and get it off of my machine. I saw announcements
> > about JTR AMI, but that build may be limited to 24 chars.
> > 3. some way to provide possible passwords (on the fly?) for JTR, starting
> > from this source:
> >
> >
> https://github.com/keepassxreboot/keepassxc/blob/2.7.1/src/core/PasswordGenerator.h
> >
> >
> https://github.com/keepassxreboot/keepassxc/blob/2.7.1/src/core/PasswordGenerator.cpp
> >
> > but probably needs to express the # of total possibilities, etc...
> >
> >
> > What else am I missing that's going to turn this into more of an
> > impossible task?
> >
> > I tried to look for other people trying to do the same sort of thing, but
> > nothing seemed obvious and I'm pretty new to this.
> >
> > Thanks,
> > Nate
> >
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.