Date: Thu, 9 Nov 2023 11:28:23 -0500 From: Matt Weir <cweir@...edu> To: john-users@...ts.openwall.com Subject: Re: 1password memorable passwords The most recent "Crack Me If You Can" password cracking competition had a similar challenge, and in my write-up I talked about cracking Correct Horse Battery Staple near the end of it. Here's a link to that blog post: https://reusablesec.blogspot.com/2023/08/hashcat-tips-and-tricks-for-hacking.html I know that this is a John the Ripper mailing list, so my apologies for talking about another tool, but Hashcat might scale a bit better for the problem you are trying to solve. I will say, hopefully your password is only three words long. Four words, while theoretically crackable, will require a lot of resources and time. Here is a writeup 1password put out regarding a password cracking competition they ran specifically targeting their password suggestion algorithm: https://blog.1password.com/cracking-challenge-update/ Even three words is tough for most people's setups. If you can happen to remember one of the words though, it can become a much more solvable problem. Long story short, hate to be the bearer of bad news, but if you can't remember more of your password, you probably are not going to be able to crack it. Cheers, Matt / Lakiw On Thu, Nov 9, 2023 at 9:32 AM magnum <magnumripper@...hmail.com> wrote: > On 2023-11-09 10:53, Jimmy Yuen Ho Wong wrote: > > I'm only trying to generate a rainbow table using 1password's memorable > > password rule. > > A rainbow table is something vastly different and the term should not be > misused. You are merely compiling a wordlist! > > > 1password's memorable password rule is basically the XKCD 936 rule - each > > word is randomly picked from a list of 18342 words, each word is at most > 8 > > characters long, and the password is 3 to 4 words long separated by > > hyphens. There are 2^56 combos and obviously I can't generate this > wordlist > > on disk. > > Any way you generate it can instead be used directly by a cracker, so > storing it on disk is not needed anyway. > > > I've looked at external modes and it's not obvious to me how the mini > > language handles such a large wordlist. It doesn't look like it supports > > C-strings, 2d arrays or reading a file either. Is there a smarter way to > > configure and/or script JtR such that it batches and streams a > continuously > > generated wordlist without me writing a whole different mode? > > For a slow mode such as DMG, a trivial perl script is probably just fine > (you may even be able to find similar such scripts in this list's > archives). We have a PRINCE cracking mode that could almost do what you > need with the 18K words list as input. But it lacks support for putting > the hyphens inbetween words, and if we try to work around that by > appending a hyphen to each input word, we instead hit the max length > limit (would need 35 for 4*8+3 while max for PRINCE is 32). > > Or you could persuade someone to fix > https://github.com/openwall/john/issues/2268 (which would also fix > https://github.com/hashcat/princeprocessor/issues/49) - that would solve > the problem canonically and it should actually be pretty trivial. Alas, > I do not have time for it. > > In case you write or find a script/tool that outputs the candidates to > stdout, you'll just pipe it like this: > > some_tool | ./john dmghash.txt -stdin > > magnum > > >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.