Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Nov 2023 11:28:23 -0500
From: Matt Weir <>
Subject: Re: 1password memorable passwords

The most recent "Crack Me If You Can" password cracking competition had a
similar challenge, and in my write-up I talked about cracking Correct Horse
Battery Staple near the end of it. Here's a link to that blog post:

I know that this is a John the Ripper mailing list, so my apologies for
talking about another tool, but Hashcat might scale a bit better for the
problem you are trying to solve. I will say, hopefully your password is
only three words long. Four words, while theoretically crackable, will
require a lot of resources and time. Here is a writeup 1password put out
regarding a password cracking competition they ran specifically targeting
their password suggestion algorithm:

Even three words is tough for most people's setups. If you can happen to
remember one of the words though, it can become a much more solvable

Long story short,  hate to be the bearer of bad news, but if you can't
remember more of your password, you probably are not going to be able to
crack it.

Matt / Lakiw

On Thu, Nov 9, 2023 at 9:32 AM magnum <> wrote:

> On 2023-11-09 10:53, Jimmy Yuen Ho Wong wrote:
> > I'm only trying to generate a rainbow table using 1password's memorable
> > password rule.
> A rainbow table is something vastly different and the term should not be
> misused. You are merely compiling a wordlist!
> > 1password's memorable password rule is basically the XKCD 936 rule - each
> > word is randomly picked from a list of 18342 words, each word is at most
> 8
> > characters long, and the password is 3 to 4 words long separated by
> > hyphens. There are 2^56 combos and obviously I can't generate this
> wordlist
> > on disk.
> Any way you generate it can instead be used directly by a cracker, so
> storing it on disk is not needed anyway.
> > I've looked at external modes and it's not obvious to me how the mini
> > language handles such a large wordlist. It doesn't look like it supports
> > C-strings, 2d arrays or reading a file either. Is there a smarter way to
> > configure and/or script JtR such that it batches and streams a
> continuously
> > generated wordlist without me writing a whole different mode?
> For a slow mode such as DMG, a trivial perl script is probably just fine
> (you may even be able to find similar such scripts in this list's
> archives).  We have a PRINCE cracking mode that could almost do what you
> need with the 18K words list as input.  But it lacks support for putting
> the hyphens inbetween words, and if we try to work around that by
> appending a hyphen to each input word, we instead hit the max length
> limit (would need 35 for 4*8+3 while max for PRINCE is 32).
> Or you could persuade someone to fix
> (which would also fix
> - that would solve
> the problem canonically and it should actually be pretty trivial.  Alas,
> I do not have time for it.
> In case you write or find a script/tool that outputs the candidates to
> stdout, you'll just pipe it like this:
> some_tool | ./john dmghash.txt -stdin
> magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.