Follow @Openwall on Twitter for new release announcements and other news

These are current and archived Openwall news items as published on the main page of our website. Additionally, you can follow us on Twitter and you might wish to review archived postings to our announcement mailing list.

August 21, 2024
Announcing yescrypt-go, our pure Go reimplementation of yescrypt key derivation function (KDF) and password hashing scheme.

May 14, 2024
We've just published the slides of Solar Designer's OffensiveCon 2024 keynote talk "Password cracking: past, present, future".

March 4, 2024
We've just published the slides of Solar Designer's talk "Linux kernel remote logging: approaches, challenges, implementation" from BSidesZagreb 2024.

February 28, 2024
LKRG 0.9.8 is out, adding a remote kernel message logging capability.

September 14, 2023
LKRG 0.9.7 is out, adding support for Linux 6.4 to 6.5.x and hopefully beyond, as well as for new RHEL 9.1 and 9.2 kernels.

June 25, 2023
passwdqc 2.0.3 is out, adding Cygwin support, pkg-config file, and assorted minor changes.
Also available is a corresponding update of passwdqc for Windows, adding password policy bypass for system-generated passwords for KRBTGT accounts.
Finally, the pre-generated leaked password filter files have been updated (quite a while ago) to include HIBP v8, encoding the 847+ million unique passwords (from billions of accounts) in a 3.3 GiB (3.5 GB) file.

June 21, 2023
We've just published the slides of Solar Designer's opening keynote talk at SSTIC and its revision at BSidesLjubljana, entitled "15+ years of oss-security".

March 2, 2023
John the Ripper in the cloud has been updated to use the latest JtR jumbo on freshly updated Amazon Linux 2 with a newer NVIDIA GPU driver. Many new AWS instance types are now supported.

December 14, 2022
LKRG 0.9.6 is out, adding support for Linux 6.1, RHEL 8.7, current CentOS Stream 9 (upcoming RHEL 9.2), along with a variety of other changes for portability, robustness, and extra security checks.

August 1, 2022
LKRG 0.9.5 is out, adding support for new longterm kernels 5.10.133+ and reworked support for OverlayFS (Docker).

July 22, 2022
LKRG 0.9.4 is out, featuring more consistent log messages suitable for both automated analysis and human consumption, as well as adding support for more longterm Linux kernels and for the OpenRC init system.

April 21, 2022
LKRG 0.9.3 is out, adding support for latest Linux kernels, latest CentOS Stream 8/9 and upcoming RHEL 8.6+, openSUSE Leap, and loading into older Xen PV guests.

December 29, 2021
LKRG 0.9.2 is out, adding support for new Linux kernels, and assorted bug fixes and enhancements.

April 27, 2021
LKRG 0.9.1 is out, addressing various issues reported against the 0.9.0 release.

April 12, 2021
LKRG 0.9.0 is out, with support for new Linux kernels, optionally building LKRG in kernel tree, Continuous Integration (boot tests in VMs, including with Ubuntu's daily updated mainline kernels), and much more.

April 4, 2021
passwdqc 2.0.2 is out, improving the formatting of auto-generated policy descriptions and adding the libpasswdqc(3) manual page.

March 10, 2021
Two minor updates:
passwdqc 2.0.1 offers improved auto-generated password/passphrase policy descriptions.
scanlogd 2.2.8 builds cleanly with recent glibc.

February 18, 2021
passwdqc 2.0.0 is out, adding support for external wordlist, denylist, and binary filter files (improved cuckoo filters).

January 11, 2021
After 10 years since the previous release, we've just released version 1.2 of tcb, implementation of our alternative password shadowing scheme. Changes include libxcrypt and recent glibc support, translated (non-English) messages support, and dropping of NIS/NIS+ support.

August 18, 2020
We've just republished the slides of LKRG in a nutshell, which we presented a few days ago at OSTconf.

We've started consolidating our Git repositories under the newly setup Openwall organization on GitHub.

August 10, 2020
We've just launched Openwall Password Recovery and Password Security Auditing Bundle in AWS Marketplace. Start your password recovery or audit in AWS cloud in minutes, complete it within our 5-day free trial or support our Open Source project afterwards.

July 8, 2020
LKRG 0.8.1 is an important bug fix release.

June 25, 2020
LKRG 0.8 is out, adding support for latest Linux kernels, 32-bit ARM (LKRG 0.7 already had 64-bit), Raspberry Pi 3 & 4, improving scalability, performance, and tradeoffs, adding the notion of profiles, new documentation, Phoronix Test Suite benchmarks, and much more.

December 25, 2019
passwdqc 1.4.0 is out, adding optional non-English messages and Linux-PAM audit support.

July 21, 2019
LKRG 0.7 is out, adding experimental support for ARM64 (AArch64) and grsecurity, support for Linux kernels 5.1 and 5.2 (and hopefully beyond), greater SMEP enforcement, and much more.

June 30, 2019
yescrypt KDF and password hashing scheme updated to 1.1.0 and included in Fedora and ALT Linux via libxcrypt.
yespower PoW scheme updated to 1.0.1.

May 14, 2019
John the Ripper 1.9.0-jumbo-1 is out.

April 12, 2019
John the Ripper 1.9.0 core is out. Stay tuned for the 1.9.0-jumbo-1 release and announcement, which will be "the real one".

February 19, 2019
LKRG 0.6 is out, adding experimental poor man's Control Flow Integrity support and much more.

November 12, 2018
LKRG 0.5 is out, completing support for integrity checking of loaded kernel modules and supporting kernels built with newer versions of GCC.

August 30, 2018
LKRG 0.4 is out, adding support for Linux kernel 4.17+.

July 12, 2018
For historical reasons, multiple CPU mining focused cryptocurrencies use yescrypt 0.5 as their proof-of-work (PoW) scheme. We introduce a separate project for the PoW use case: yespower.

July 4, 2018
LKRG 0.3 is out, along with Linux Kernel Runtime Guard (LKRG) under the hood presentation slides from CONFidence.

June 7, 2018
yescrypt KDF and password hashing scheme has been updated to 1.0.2.

May 24, 2018
New Owl security updates are available in the form of source code, RPMs, ISOs, and OpenVZ container templates addressing CPU, Linux kernel, and procps issues.

April 22, 2018
yescrypt KDF and password hashing scheme has been updated to 1.0.1, improving the documentation with guidelines on parameter selection, currently recommended parameter sets by use case, and a comparison to scrypt and Argon2.

March 27, 2018
LKRG 0.2 is out, with added support for loading at early boot stage (e.g., from initramfs), reduced performance impact, and bugs fixed.

March 9, 2018
yescrypt 1.0.0 KDF and password hashing scheme is out.

February 9, 2018
LKRG 0.1 is out, cleaned up and with support for Linux kernel 4.15 and RHEL 7.4.

January 29, 2018
We've just announced our most controversial project ever: Linux Kernel Runtime Guard, an LKM that post-detects kernel exploits.

November 19, 2017
We've just released blists 2.0, our web interface to mailing list archives that works off indexed mbox files. Major enhancements since blists 1.0 include downloadable attachments, re-encoding of content from any supported charsets to UTF-8, lists of recent messages on each mailing list's main page, and new calendars on the year and month pages.

August 22, 2017
php_mt_seed 4.0 is out, extending the range of supported PHP versions to include 7.1.0 and above (to current latest and hopefully beyond) as well as 5.2.0 and below (all the way back to 3.0.7). Previously, the range was from 5.2.1 to 7.0.x. Also featuring rewritten documentation.

August 6, 2017
php_mt_seed 3.3 is out, extending the range of supported SIMD instruction sets to include SSE2 and AVX-512 (previously, the range was from SSE4.1 to AVX2 and MIC).

May 7, 2017
phpass 0.5 is out, providing PHP 7 friendliness and other minor cleanups.

March 27, 2017
Slides from Solar Designer's BSidesLjubljana talks entitled yescrypt: large-scale password hashing and Haswell metaprogramming are now online.

November 18, 2016
We've just published a new Openwall article: An analysis of Zcash's use of the Equihash proof-of-work scheme.

October 24, 2016
Openwall GNU/*/Linux security fixes for Linux kernel "Dirty COW" and BIND DoS vulnerabilities.

August 25, 2016
New Openwall GNU/*/Linux ISO images and OpenVZ container templates are out. The updates since last summer are minor, and are mostly limited to bug and security fixes.

July 22, 2016
A new version of our password/passphrase strength checking and enforcement tool set, passwdqc 1.3.1, is out, fixing a bug with the rarely-used "non-unix" option of pam_passwdqc.

Bindings, ports, and third-party reimplementations of functionality from passwdqc for/in Go, JavaScript, Perl, PHP, Python, and Ruby are now listed among passwdqc contributed resources.

We've just released passwdqc for Windows.

June 17, 2016
John the Ripper -jumbo is now available as snap package for Ubuntu 16.04 LTS via Ubuntu Store, as contributed by Claudio Andre.

March 5, 2016
We're introducing OVE IDs, an alternative to CVE.

October 14, 2015
HPC Village has recently been updated to include an NVIDIA GTX Titan X, the largest GPU card based on NVIDIA's latest Maxwell architecture, due to sponsorship by Sagitta HPC. This is an opportunity for HPC (High Performance Computing) hobbyists alike to program for a heterogeneous HPC platform. Participants are provided with remote access to a server with multi-core CPUs and HPC accelerator cards of different kinds - Intel MIC (Xeon Phi), AMD GPU, NVIDIA GPU. With the recent update, there are two generations of GPU architectures available in the same machine for each of AMD and NVIDIA. Some other hardware is also available in additional machines. Eligible for HPC Village are Open Source software developers and ZeroNights 2015 attendees. Please refer to the HPC Village project web page for a lot more detail, including for information on how to apply for an account.

August 2, 2015
New Openwall GNU/*/Linux ISO images and OpenVZ container templates are out, incorporating packages with security fixes accumulated since the previous set of ISOs was generated in January. Most notably, these include fixes for Linux kernel I/O vector array overrun (CVE-2015-1805) and OpenVZ container escape (CVE-2015-2925), glibc GHOST (CVE-2015-0235), OpenSSL FREAK (CVE-2015-0204), and BIND TKEY query DoS (CVE-2015-5477).

July 12, 2015
We've just posted online Aleksey Cherepanov's john-devkit: specialized compiler for hash cracking presentation slides from PHDays 2015.

April 28, 2015
Announcing the accepted Google Summer of Code students and progress at their projects so far.

March 10, 2015
Openwall will act as a Google Summer of Code umbrella organization for radare reverse-engineering framework. We welcome applications from students interested in Radare Summer of Code ideas.

March 3, 2015
We're a mentoring organization for Google Summer of Code 2015. Here are our proposed project ideas.

February 26, 2015
John the Ripper 1.8.0 Pro for Linux is out.

January 5, 2015
Owl 3.1-stable is available.

December 18, 2014
John the Ripper 1.8.0-jumbo-1 is out.

November 28, 2014
Solar Designer's ZeroNights 2014 presentation non-slides (actually, a game) entitled "Is infosec a game?" are now available online.

August 31, 2014
Our Passwords^14, Skytalks, and WOOT '14 presentation slides are now available online: Energy-efficient bcrypt cracking by Katja Malvoni, Solar Designer, and Josip Knezovic. This reflects progress made at this research project since we presented it last year.

May 23, 2014
Solar Designer's PHDays 2014 presentation slides are now available online: yescrypt - password hashing scalable beyond bcrypt and scrypt.

December 2, 2013
Our PasswordsCon Bergen presentation slides are now available online: Energy-efficient bcrypt cracking by Katja Malvoni and Solar Designer.

November 4, 2013
We've just turned our php_mt_seed PHP mt_rand() seed cracker from a proof-of-concept into a maintained project with its own homepage. Changes implemented in October include AVX2 and Intel MIC (Xeon Phi) support, as well as support for advanced invocation modes, which allow matching of multiple, non-first, and/or inexact mt_rand() outputs to possible seed values.

October 25, 2013
HPC Village is our new project, initially setup as a creative way to indirectly sponsor the upcoming ZeroNights 2013 convention in Moscow, Russia. This is an opportunity for HPC (High Performance Computing) hobbyists alike to program for a heterogeneous HPC platform. Participants are provided with remote access to a server with multi-core CPUs and HPC accelerator cards of different kinds - Intel MIC (Xeon Phi), AMD GPU, NVIDIA GPU. Please refer to the HPC Village project web page for a lot more detail, including for information on how to apply for an account.

October 21, 2013
Minor updates to scanlogd, popa3d, and msulogin have been released.

August 15, 2013
We've just posted online our USENIX WOOT '13 slides and paper entitled "Looking inside the (Drop) box" (Security Analysis of Dropbox), by Dhiru Kholia and Przemyslaw Wegrzyn.

May 30, 2013
John the Ripper 1.8.0 is out, including new functionality sponsored under Rapid7's Magnificent7 program.

April 24, 2013
A new version of our password/passphrase strength checking and enforcement tool set, passwdqc 1.3.0, is out.

April 11, 2013
We're a mentoring organization for Google Summer of Code 2013. Here are our proposed ideas for students' summer projects.

New snapshots of Owl-current and Owl 3.0-stable are available, including ISO images, OpenVZ container templates, binary packages for i686 and x86_64, and full sources.

December 6, 2012
Our Passwords^12 presentation slides are now available online. These are Simon Marechal's (aka Bartavelle) Distributable probabilistic candidate password generators and Automatic wordlists mangling rules generation, as well as a new revision of Password security: past, present, future, now co-authored by Solar Designer and Simon Marechal.

November 23, 2012
New developments in password hashing: ROM-port-hard functions slides from Solar Designer's ZeroNights 2012 talk are now online.

October 17, 2012
John the Ripper has been selected for Rapid7's Magnificent7 program, which will enable us to implement parallel and distributed processing enhancements sooner rather than later.

Simon Marechal (aka Bartavelle), a longtime contributor to John the Ripper, will speak at Passwords^12 (December 3-5, Oslo, Norway).

October 5, 2012
Solar Designer's Password hashing at scale (for Internet companies with millions of users) slides from YaC 2012 are now online.

September 20, 2012
JtR 1.7.9-jumbo-7 is a bugfix-mostly release. Besides the many bugfixes (mostly for issues introduced with -jumbo-6), this release adds support for cracking KeePass 2.x and RAdmin 2.x passwords, more varieties of PKZIP archives, GPU support under recent Mac OS X, speedup at many of the previously supported formats, and many minor features and documentation updates.

At the same time, we've also released php_mt_seed, a PHP mt_rand() seed cracker capable of testing all 232 seeds in 1 minute on an inexpensive CPU.

Finally, some of you might like to attend Solar Designer's talk at YaC 2012 (October 1, Moscow, Russia). The topic is future password hashing setups for Internet companies with millions of users and passwords. In a sense, this will be a continuation of the PHDays talk, with focus on specific challenges faced at and solutions affordable to this sort of companies.

August 18, 2012
A new snapshot of Owl-current is available, including ISO images, OpenVZ container templates, binary packages for i686 and x86_64, and full sources. Changes since the previous set of ISOs and templates (May 8, 2012) include a further minor update of the Linux/OpenVZ kernel to latest "testing" version in OpenVZ's RHEL5-based branch (with our usual changes on top of that), new versions of binutils, tcsh, xinetd, and OpenSSL (the latter two with minor security fixes), and minor changes to many Owl packages. The system has been rebuilt with the new binutils, which required some tweaks in various packages (now included, so further rebuilds work seamlessly). This mostly conservative update of Owl-current is a precursor to a similar update to 3.0-stable (except for the binutils upgrade and some other things), and to more aggressive changes in Owl-current.

June 29, 2012
John the Ripper 1.7.9-jumbo-6 is the very first release to have GPU support (CUDA and OpenCL) integrated. It is also the biggest -jumbo update so far, with over 40,000 lines of code added since -jumbo-5. Besides GPU support, this release adds support for Mac OS X keychains, KeePass 1.x, Password Safe, ODF and Office 2007/2010 files, Firefox/Thunderbird master passwords, RAR -p mode, WPA-PSK, VNC and SIP challenge/responses, HMAC-SHA-*, IBM RACF, built-in SHA-crypt, DragonFly BSD SHA-2, Django, Drupal 7, WoltLab BB3, new EPiServer, GOST R 34.11-94, LinkedIn raw SHA-1 flavor - with OpenMP, CUDA, and/or OpenCL for many of these. Additionally, optimizations were made and OpenMP/CUDA/OpenCL added for many of the previously-supported hashes and ciphers. AMD XOP support was added for MD4, MD5, and SHA-1, for at least a 20% speedup on Bulldozer at hashes building on these primitives and making use of the SIMD interface. Many main program features and tiny new programs were added.

June 1, 2012
PHDays 2012 was great! The slides from our "Password security: past, present, future" presentation are now online.

May 20, 2012
Solar Designer of Openwall will speak at Positive Hack Days on the future of password hashing (May 30-31, Moscow, Russia).

May 8, 2012
A new snapshot of Owl-current is available, including ISO images, OpenVZ container templates, binary packages for i686 and x86_64, and full sources. Significant changes since the previous set of ISOs and templates (October 26, 2011) include update of the Linux/OpenVZ kernel to one based on RHEL 5.8's, GCC update to 4.6.3, "gcc -Wl,-z,relro -Wl,-z,now" by default as a security hardening measure, John the Ripper 1.7.9+ with enabled OpenMP parallelization, move to ISOLINUX for the bootloader for the ISOs, building of glibc's UTF-8 locales by default (despite of the size increase), new versions of OpenSSL, lftp, strace, hdparm.

March 17, 2012
As many of you are aware, Openwall participated in Google Summer of Code (GSoC) last year. We worked with 5 students under the GSoC program, we got useful stuff done (with some of it being in mainline Linux kernels and in released versions of John the Ripper now), and we met new people some of whom are now involved with our projects. So we're doing it again: Openwall is a mentoring organization for Google Summer of Code 2012. Interested students are welcome to check out our ideas page and contact us.

Openwall wordlists collection now comes with a bonus - two lists of passwords commonly generated by pwgen 2.06 with default settings for output to a tty and non-tty. These contain 44 and 45.5 million entries and they crack 21% and 75% of passwords of the corresponding kind - for tty and non-tty, respectively. pwgen is a fairly popular command-line password generator program for Unix systems. It is part e.g. of Debian and Ubuntu.

December 18, 2011
John the Ripper 1.7.9-jumbo-5 is out, including a build for Windows. This revision adds support of RADIUS shared secrets and SHA-0, it has faster MSSQL (old and 2005), MySQL (SHA-1 based), and Lotus5 hashing (the latter with optional OpenMP parallelization), and it includes many other enhancements as well.

December 11, 2011
John the Ripper 1.7.9 official build for Windows is available.

November 23, 2011
John the Ripper 1.7.9 has OpenMP parallelization of bitslice DES and of MD5-crypt integrated. It includes many other enhancements as well.

November 9, 2011
John the Ripper 1.7.8-jumbo-8 is out. This revision adds optional OpenMP parallelization for MD5-based crypt(3) and Apache $apr1$ hashes when building with SSE2 intrinsics, as well as for SAP CODVN B (BCODE) and SAP CODVN G (PASSCODE). Many other enhancements have been made as well. Also added is a benchmark comparison tool.

October 31, 2011
New Openwall t-shirt designs are now available.

October 26, 2011
An update of Owl 3.0-stable is available, including ISOs, OpenVZ container templates, binary packages for i686 and x86-64, and indeed the sources. It includes kernel update to OpenVZ's latest stable RHEL 5.7-based (with our usual changes), security fixes to RPM (originally made and tested in Owl-current) and to pam_env (which was not in use on default installs of Owl), timezone data update (critical for Russia and some other countries), and introduction of the hardlink(1) program.

At the same time, Owl-current has moved to GCC 4.6.1. This is a major development milestone towards Owl 4.0.

October 10, 2011
A new snapshot of Owl-current is available, including a complete set of components: ISO images, OpenVZ container templates, binary packages for i686 and x86_64, and indeed the source code. Significant changes since the previous set of ISOs and templates (those of Owl 3.0-stable this time, generated a month ago) include update of the Linux/OpenVZ kernel to one based on RHEL 5.7's, introduction of tzdata package with up-to-date timezone data, and a security fix to Owl's package of RPM (the package manager).

October 5, 2011
Openwall t-shirts are now available from 0-day Clothing.

September 21, 2011
John the Ripper 1.7.8-jumbo-7 is out. In this version, support for cracking of encrypted PKZIP archives, Mac OS X 10.7 salted SHA-512 password hashes, and DES-based tripcodes has been added, and lots of other enhancements have been made (way too many to list right here).

September 9, 2011
Openwall GNU/*/Linux 3.0-stable has been updated to include almost all changes made and tested in Owl-current in recent months, including new package additions, and excluding only changes that would break binary compatibility with the 3.0 release (specifically, Owl-current's OpenSSL update and related changes are excluded from 3.0-stable). New ISO images and OpenVZ container templates of Owl 3.0-stable are available for i686 and x86_64.

August 18, 2011
Some of the most active members of the john-users mailing list hosted by Openwall participated in KoreLogic's "Crack Me If You Can" password cracking contest at DEFCON earlier this month, as team john-users. Openwall provided the team with a contest server, which was used to coordinate activities of the team's members, to exchange files, and to automatically submit cracked passwords to the contest organizers. The team consisted of 16 active members who ran John the Ripper and a few other tools on a total of over a hundred of CPU cores (estimated at 150 average, 300 peak) over the 48-hour period. We ended up taking 3rd place overall (out of 22), and we're first for 5 out of 20 hash types. Additionally, we temporarily held 1st place during the contest at two times. The contest was fun and challenging, it helped us test some experimental John the Ripper code and identify areas for further improvement. Today, we're making available our writeup on our experience in the contest.

August 3, 2011
John the Ripper 1.7.8-jumbo-5 is out, adding support for more character encodings via the new "--encoding" option (utf-8, iso-8859-1, koi8-r, cp1251) and support for raw SHA-224, SHA-256, SHA-384, and SHA-512 hashes.

July 27, 2011
A new snapshot of Owl-current is available, including ISO images, OpenVZ container templates, binary packages for i686 and x86_64, and indeed the source code. Significant changes since the previous set of ISOs and templates (generated on March 12) include updates of the RHEL5/OpenVZ Linux kernel, strace, Nmap, John the Ripper, iputils, iproute2, and LILO to new upstream versions, security fixes and security-relevant enhancements to Owl's packages of the kernel, iptables, RPM, glibc (crypt_blowfish upgrade to 1.2), and addition of limited support for LSISAS8208ELP disk controllers.

July 24, 2011
John the Ripper 1.7.8-jumbo-4 adds compile-time plugins, much faster MSCash2 (now uses SSE2, optionally along with OpenMP), enhanced "generic MD5" (makes available more of the MD5 and SHA-1 based hash types under more of the build targets).

John the Ripper 1.7.8 has been built for Android.

July 17, 2011
crypt_blowfish 1.2 and tcb 1.1 have been released. crypt_blowfish 1.2 adds a countermeasure to avoid one-correct to many-buggy hash collisions with the "$2a$" prefix, and both crypt_blowfish and tcb move to the new prefix of "$2y$" to denote correctly computed hashes that don't need the countermeasure.

July 3, 2011
John the Ripper 1.7.8-jumbo-2 adds support for cracking of password-protected WinZip archives with AES encryption, due to Dhiru Kholia's work under Google Summer of Code 2011.

A while ago, Piotr 'aniou' Meyer has contributed instructions on how to use the NetBSD Packages Collection on Openwall GNU/*/Linux (Owl).

June 22, 2011
John the Ripper 1.7.8 has been released, with DES S-box gate count reduced by 17% compared to the S-box expressions that we had been using in prior versions. This is made possible due to research by Roman Rusakov, sponsored by Rapid7.

June 21, 2011
crypt_blowfish version 1.1 fixes the 8-bit character handling vulnerability (CVE-2011-2483) and adds more self-tests. Any copies of older crypt_blowfish code must be upgraded.

June 8, 2011
John the Ripper 1.7.7-jumbo-6 integrates preliminary support for several non-hashes, implemented under Dhiru Kholia's GSoC 2011 project. Specifically, it supports cracking of OpenSSH's passphrase-protected SSH protocol 2 private keys (with OpenMP parallelization), password-protected PDF files with 40-bit and 128-bit RC4 encryption, and some password-protected RAR archives. At the same time, it integrates support for password hashes of Sybase ASE (also by Dhiru), hmailserver (by James Nobis), and MediaWiki "B" type (by JimF). As usual, we've added many minor enhancements as well.

June 6, 2011
We've just released version 1.0 of blists, our web interface to mailing list archives that works off indexed mbox files. Please feel free to use it for your own mailing lists.

We've setup a new mailing list, kernel-hardening. The intent is to use it to discuss proposed security hardening changes to the Linux kernel before possibly bringing them to LKML, as well as to CC it on relevant LKML threads. It is also OK to discuss hardening changes that are not meant for upstream.

June 3, 2011
John the Ripper 1.7.7-jumbo-5 is out. This is possibly the largest single jumbo patch update made so far. In this revision, MD5 and SHA-1 based hashes have been sped up with SSE2/AVX intrinsics, md5_gen has been expanded with more MD5-based hash types, UTF-8 support has been added (the "--utf8" option), MPI parallelization support for all cracking modes has been integrated, and OpenMP parallelization support has been added to a few more hash types. At the same time, three new formats have been added: mskrb5 (offline attack on MS Kerberos 5 pre-authentication data), rawMD5unicode (MD5 of UCS-2 encoded plaintext), and salted_sha1 (faster handling of some LDAP {SSHA} hashes). The "unique" program, Markov mode, ETA display, and programming interfaces have been enhanced.

Our web interface to archives of Openwall's, Openwall-hosted, and other relevant mailing lists has been enhanced to include month and day index pages with message subjects and authors (finally).

April 28, 2011
John the Ripper 1.7.7 is out, along with 1.7.7-jumbo-1 and updated DES/OpenMP patches, adding Intel AVX and AMD XOP support, cracking of plaintext passwords (for faster testing and tuning), several kinds of warning messages (intended primarily for inexperienced users), official support for Apache "$apr1$" MD5-based password hashes (previously only supported in jumbo), and more. This release has been sponsored by Rapid7 - a leading provider of unified vulnerability management and penetration testing solutions.

April 26, 2011
We've accepted 5 great students under the Google Summer of Code program. However, many more had applied, and we'd love to work with some of those who we couldn't accept specifically under the GSoC program. Thus, our own Summer of Security program is born.

We've setup several new mailing lists: crypt-dev (design and implementation of a new password hashing method for servers), musl (discussions around musl, a new standard C library for Linux), and sabotage (discussions around Sabotage Linux, an experimental distribution based on musl and BusyBox).

March 19, 2011
Openwall is a mentoring organization for Google Summer of Code 2011 (GSoC). Here's our GSoC organization profile and our ideas list (includes ideas on Owl, JtR, and more). We'd like to hear from students interested in working on any of the ideas (or on their "own creative and relevant idea"), as well as from prospective mentors. We're already aware of some. :-)

Nmap project summarizes GSoC as follows: "This innovative and extraordinarily generous program provides $5,000 stipends to 1,000+ college and graduate students to create and enhance open source software during their summer break. Students gain valuable experience, get paid, strengthen their resume, and write code which will be distributed freely and used by millions of people!"

March 13, 2011
The 2011/03/12 Owl-current snapshot has finally deviated from Owl 3.0 and RHEL4 binary compatibility (moving towards RHEL6 binary compatibility) by updating OpenSSL to 1.0.0d. Besides OpenSSL, we've updated vsftpd to 2.3.4 (remote DoS vulnerability fix, CVE-2011-0762), patchutils to 0.3.2, and the Linux kernel to OpenVZ's latest "RHEL5 testing" one (-238.5.1.el5.028stab085.2) with our usual changes.

At the same time, we've made the first pre-compiled snapshot of Owl 3.0-stable available. Compared to the 3.0 release, Owl 3.0-stable 2011/03/12 corrects a VIM packaging error, a vulnerability in the patch(1) program (CVE-2010-4651), two vulnerabilities in OpenSSL (CVE-2010-4180, CVE-2009-0590), which were at worst of moderate severity, and it updates vsftpd to 2.3.4 (CVE-2011-0762 fix) and patchutils to 0.3.2.

Earlier this month, we've setup public mailing lists for discussions around development of Openwall GNU/*/Linux (owl-dev) and John the Ripper (john-dev). Previously, only user community public mailing lists existed for these projects (owl-users and john-users, respectively).

March 2, 2011
The OpenVZ virtualization blog has posted an interview with Solar Designer on Owl, OpenVZ, and more.

February 17, 2011
John the Ripper 1.7.6-jumbo-12 is out. This revision corrects the "generic MD5" self-test bug (introduced in -jumbo-10). It also enhances the MSCash and MSCash2 OpenMP parallelization to adjust the number of key slots according to the number of threads.

February 12, 2011
We've released another Owl-current snapshot. This one uses a fresh OpenVZ "RHEL5 testing" kernel (with our usual changes), and it has a patch(1) vulnerability fixed (CVE-2010-4651). Besides the fixes, we've added the usb_modeswitch package - a mode switching tool for controlling "flip flop" (multiple device) USB gear - along with usb_modeswitch-data and libusb-compat.

There's a new lightweight libc (standard C library) for Linux-based devices. It's called musl. This is a project of Eta Labs rather than Openwall, yet we're pleased that musl supports our /etc/tcb/*/shadow files natively.

February 6, 2011
We've made available the first Owl-current snapshot after our 3.0 release (new ISO images, OpenVZ container templates, and indeed packages and sources). Since the release, we've moved from RHEL 5.5-based to RHEL 5.6-based Linux/OpenVZ kernels, added support for non-raw (datagram) ICMP sockets and made use of said support in ping(1), added several new packages (ethtool, pv ("Pipe Viewer"), bridge-utils, libusb1, usbutils, vconfig), updated to latest upstream versions of LILO, e2fsprogs, Nmap (adding Nping), and made some other enhancements and corrections. Additionally, we've enhanced our infrastructure such that Owl snapshots (and not just releases) are now always PGP-signed.

John the Ripper jumbo patch revision 1.7.6-jumbo-11 is out. This revision corrects an x86-64-specific NTLM bug, improves self-tests (which uncovered another bug, not yet fixed), adds support for cracking MSCash2 (Domain Cached Credentials of modern Windows systems) with optional OpenMP parallelization, and adds similar OpenMP parallelization for the original MSCash. We'd like to thank bartavelle and S3nf for their contributions to this update.

Additionally, Simon John has built unofficial RPM packages of JtR for 64-bit Fedora. These are of the brand new 1.7.6-jumbo-11 with OpenMP parallelization enabled, as well as of the older 1.7.6-omp-des-7, which provides OpenMP parallelization for DES-based hashes (this is not part of the jumbo patch).

January 14, 2011
We've setup a new wiki page on Openwall GNU/*/Linux 3.0 coverage by Linux and technology news sites. Especially valuable is the detailed independent review written by Koen Vervloesem for LWN.

December 15, 2010
Openwall GNU/*/Linux (Owl) version 3.0 is finally out!

The enhancements since Owl 2.0 include: x86-64 support, move to RHEL 5.5-like Linux 2.6 kernels (with additional changes), kernel in an RPM package designed to allow for easy non-RPM'ed kernel builds as well (optional), integrated OpenVZ container-based virtualization (optional), "make iso" and "make vztemplate" targets in the build environment (to easily generate new Owl CD images and OpenVZ container templates, respectively), ext4 filesystem support (in fact, Owl 3.0's installer offers ext4 by default, with ext3 and ext2 still available as options), xz compression support (LZMA, LZMA2) throughout the system (not only xz* commands, but also support in tar, rpm, less, color ls output), a few new packages (smartmontools, mdadm, cdrkit, pciutils, dmidecode, vzctl, vzquota, xz), lots of package updates, improved hardware compatibility and more intuitive installation process, credentials logging in syslogd (the sender's UID and PID are logged), key blacklisting support in OpenSSH, and many other enhancements and corrections. After the release, we intend to proceed with further development under Owl-current and to maintain the newly-created Owl 3.0-stable branch until the next release, as usual.

Compared to the December 9 snapshot of Owl-current, the 3.0 release makes some corrections to support upgrades from Owl 2.0 and it adds some security fixes to Perl (for issues that affected relatively obscure and inherently risky uses of Perl and its modules).

December 10, 2010
After the security compromise, GNU Savannah (free software development hosting) introduced proper password hashing and password/passphrase strength checking using Openwall's passwdqc (invoking the pwqcheck and pwqgen programs). If you maintain an online service with user accounts, you should do the same.

December 10, 2010
There are new Owl-current ISOs, OpenVZ container templates, and pre-built packages for i686 and x86-64. Compared to the September 24 snapshot, the Linux/OpenVZ kernel has once again been updated to OpenVZ's latest from their "RHEL5 testing" branch, with some additional security fixes and security hardening measures added on top of it. Many packages have been updated to new upstream versions: binutils, hdparm, ed, man-pages, diffstat, flex, ncurses, VIM, Linux-PAM, GnuPG, cdrkit, iptables, SysVinit, smartmontools, lftp, xz, Postfix. Finally, many minor enhancements to various Owl packages have been made. Please refer to the change log for details.

November 26, 2010
There are new unofficial builds of John the Ripper 1.7.6-jumbo-9 for Win32, Linux, and Solaris.

November 14, 2010
New revision 1.7.6-jumbo-9 of JtR jumbo patch adds support for generic salted SHA-1, raw MD4, and generic salted MD4 hashes.

November 6, 2010
A new and finally complete Python port of phpass (our password hashing framework for PHP apps) has been added to the phpass contributed resources list. This one was contributed by exavolt (thanks!)

October 30, 2010
New unofficial builds of John the Ripper with the jumbo patch (and more) for Win32, Mac OS X, Linux, and Solaris have been added.

October 22, 2010
Owl is not vulnerable to glibc bugs discovered by Tavis Ormandy.

September 25, 2010
New Owl-current ISOs, OpenVZ container templates, and pre-built packages for i686 and x86-64 have been made available yesterday. (Indeed, the full source code is always available as well.) Most importantly, the kernel has been updated to include a fix for CVE-2010-3081 (this was a "local root" and "container escape" vulnerability on 64-bit kernels built with 32-bit compatibility enabled). Some other updates since the September 3 snapshot include the introduction of xz and lzma compression support (the xz package and changes made to rpm, less, and coreutils), new upstream versions of lftp, bzip2 (CVE-2010-0405 fix), grep, hdparm, and OpenVZ kernel (2.6.18-194.11.3.el5.028stab071.5 with our changes), and our new version of pam_mktemp.

September 20, 2010
pam_mktemp 1.1.1 is out. pam_mktemp provides per-user directories under /tmp. This new release adds SELinux support, Solaris support (requires GNU make and gcc), and makes the use of the append-only flag with ext2/3/4 filesystems optional.

September 3, 2010
There's a new snapshot of Owl-current available on our FTP mirrors. Besides the full source code, this includes pre-built packages, ISOs, and OpenVZ container templates for i686 and x86-64. As usual, there are also direct download links to the ISOs on the Owl homepage.

In this snapshot, the kernel has been updated to OpenVZ's latest from their "RHEL5 testing" branch (2.6.18-194.11.3.el5.028stab071.3) with minor additional changes. CD bootup and the installer have been improved some further. The e2fsprogs, diffutils, bison, man-pages, man, diffstat, gawk, cdrkit, iptables, sed, grep, ltrace, hdparm, mktemp, vsftpd, acct, file, and m4 packages have been updated to new upstream versions. Assorted minor improvements have been made and/or bugfixes applied to several other packages. Please refer to the change log for more information on some of these changes.

August 22, 2010
The jumbo patch for John the Ripper is now up to revision 1.7.6-jumbo-7 adding MSCHAPv2, several external modes, bugfixes, and license updates.

August 7, 2010
The July 29 snapshot of Owl-current (announced below) is now available for purchase on CD (both 32- and 64-bit).

July 30, 2010
New ISO images and pre-created OpenVZ container templates of Owl-current for i686 and x86-64 are available on our FTP mirrors. The ISOs are also available via direct download links on the Owl homepage. We have once again updated Owl to use OpenVZ's latest kernel from their "rhel5" branch, and we've switched to using RPM-packaged kernels, but in a way allowing for easy non-packaged builds as well. At the same time, we've introduced support for the ext4 filesystem (in fact, it is now offered by default for new installs), and we've improved CD bootup and the installer ("settle") in numerous ways. The packages of passwdqc, strace, lftp, tcb, JtR, and Postfix have been updated to new versions, and changes have been made to several other packages. Please refer to the change log for more information on some of the changes.

July 27, 2010
Examples of how to crack SMTP's AUTH CRAM-MD5 and LM and NTLM challenge/response exchanges have been posted to the john-users mailing list. The jumbo patch is now up to revision 1.7.6-jumbo-6 (adding some bugfixes).

Petur Ingi Egilsson wrote a step-by-step guide entitled John the Ripper on a Ubuntu 10.04 MPI Cluster.

July 24, 2010
We've setup a web page with recommended computer security books (and more).

July 13, 2010
Sunny Singh has published a short and very easy to follow article on introducing phpass password hashing into a PHP application.

July 5, 2010
John the Ripper 1.7.6, originally released as a development version because of the extent of the changes made, has been re-labeled the new stable version. There hasn't been a single bug report against this version since it was released over two weeks ago, yet people successfully built, ran, and some even packaged it on a variety of operating systems.

Steven M. Christensen of Sunfreeware has produced packages of JtR 1.7.6 for many versions of Solaris, both SPARC and x86, including both 32-bit and 64-bit builds.

GI John - Grid implemented John the Ripper, a curious non-Openwall project - has been updated to build upon JtR 1.7.6-jumbo-3.

July 4, 2010
John the Ripper gets a new bitslice DES key setup algorithm, currently implemented as a patch usable on x86-64 and x86 with SSE2. With this, it achieves a whopping 356 million of LM hash computations per second on a dual quad-core Xeon system (with multiple simultaneous processes), as well as 15M c/s at DES-based crypt(3) for the single salt case or 20M+ c/s with multiple salts (with a single multi-threaded process).

July 1, 2010
It is now possible to get a recent Openwall GNU/*/Linux -current snapshot on CD - 32-bit and/or 64-bit (your choice). Previously, only the last release was available for purchase on CD.

June 30, 2010
There's a new revision of the bitslice DES parallelization patch for John the Ripper, and new benchmarks - now over 20M c/s at traditional DES-based crypt(3) on a dual quad-core Xeon, and over 10M c/s on a Core i7 (single quad-core CPU).

June 28, 2010
John the Ripper's bitslice DES implementation is being parallelized with OpenMP directives - there's a draft patch and benchmark results - up to 17.5M c/s for traditional DES-based crypt(3).

June 23, 2010
passwdqc 1.2.2 has been released. This version makes minor Makefile updates to make the "install" and "uninstall" targets with their default settings friendlier to Solaris systems. At the same time, a wiki page with detailed Solaris-specific instructions on passwdqc has been created.

A Python package re-implementing some algorithms from passwdqc has been created by Alastair Houghton. It is found on the passwdqc contributed resources list.

Detailed tutorials on cracking/auditing SHA-crypt hashed user passwords on recent Ubuntu, Fedora, and Solaris 10 systems have been posted to the john-users mailing list, separately for Linux (using Fedora 12 as the specific example) and for Solaris 10. These include optional OpenMP parallelization instructions and examples (to use multiple CPUs and/or CPU cores).

The jumbo patch for John the Ripper has been updated further to revision 1.7.6-jumbo-3, and the MPI parallelization patch has been updated to apply on top of this revision.

June 15, 2010
The jumbo patch has been updated to John the Ripper 1.7.6, and additionally updated with fixes for previously-integrated contributions and with additional modules. The current revision is 1.7.6-jumbo-2.

We've setup a collection of papers, source code, etc. related to bitslice implementations of DES (focusing on the S-boxes).

June 14, 2010
John the Ripper version 1.7.6 is out. This is a development version adding generic crypt(3) support (e.g., to be used for SHA-crypt and SunMD5 hashes), optional partial parallelization with OpenMP (of the new generic crypt(3) code on Linux and Solaris and of John's optimized code for the OpenBSD-style Blowfish-based crypt(3) hashes), more optimal DES S-box expressions for PowerPC with AltiVec, as well as making minor usability improvements and reworking the bitslice DES C source code. Please refer to the change log and the john-users announcement for more detail.

June 13, 2010
The tcb suite, implementing our alternative password shadowing scheme on Owl (and reused by a number of other systems), has been updated to version 1.0.6. The only change since version 1.0.5 is removal of a faulty check for sparse files. This change was needed for compatibility with modern filesystems such as btrfs.

June 6, 2010
"How to manage a PHP application's users and passwords" has been republished on the Openwall website. At the same time, three old Openwall security advisories have been updated to focus on currently relevant aspects and turned into articles.

May 27, 2010
Solar Designer's article entitled "How to manage a PHP application's users and passwords" has been published on the Month of PHP Security website. "In this article/tutorial, I will guide you through the steps needed to introduce proper (in my opinion at least) user/password management into a new PHP application. I will start by briefly explaining password/passphrase hashing and how to access the database safely. Then we will proceed through several revisions of the sample program. We'll start with a very simple PHP program capable of creating new users only and having some subtle issues. We will gradually improve this program adding functionality (logging in to existing user accounts, changing user passwords, and enforcing a password policy) and "discovering" and dealing with the issues. We will also briefly touch many related topics.

John the Ripper's implementation of OpenBSD-style Blowfish-based crypt(3) hashes is being parallelized with OpenMP (which is readily available with recent C compilers, including with gcc). This is expected to be made official with the next development release. Meanwhile, there's a patch on the wiki, and here are benchmarks on 8-way x86-64 systems (Core i7 and Dual quad-core Xeon) and 32-way UltraSPARC T2 (quad-core, 8 threads per core).

April 25, 2010
The jumbo patch for John the Ripper 1.7.5 has been updated to revision 3. Most notably, this adds documentation on LM/NTLM challenge/response authentication cracking (doc/NETNTLM_README), improves the netntlm.pl script, and adds the "--config" option. These changes have been contributed by JoMo-Kun.

April 22, 2010
There's a new revision of our PHP password hashing framework - phpass 0.3. This revision no longer requires the getmypid() PHP function (which a few shared hosting providers disable) and it supports the "$H$" hash encoding prefix (as used by phpBB3). Also, the size of an array in the C reimplementation, which is unused by the framework itself, has been corrected (thanks to Christian von Schultz for reporting the bug).

March 29, 2010
Solar Designer has published a couple of enhanced challenge/response authentication algorithms. Please feel free to reuse these.

March 27, 2010
passwdqc 1.2.1 is out. In this version, a password strength check has been adjusted to no longer subject certain passwords that start with a digit and/or end with a capital letter to an unintentionally stricter policy.

March 23, 2010
Today's ISO images and pre-created OpenVZ container templates of Owl-current for x86 and x86-64 are currently propagating to our FTP mirrors. The ISOs are also available via direct download links on the Owl homepage. We have updated Owl to use OpenVZ's latest kernel from their "rhel5" branch, with RHEL5 patches further updated from Red Hat's latest stable kernel and with some minor changes of our own. The packages of gzip, VIM, tcb, JtR, tcsh, quota, passwdqc, libnids, pciutils, hdparm, and tar have been updated to new versions or patchlevels, and changes have been made to several other packages. Please refer to the change log for more information on some of the changes.

March 16, 2010
Version 1.2.0 of passwdqc, our proactive password/passphrase strength checking and policy enforcement toolset, is out. The pwqcheck program is now directly usable by OpenBSD, and it is able to check multiple passwords/passphrases at once (e.g., for policy testing on large password/passphrase lists). The random passphrases offered by pam_passwdqc, pwqgen, as well as by the passwdqc_random() function in libpasswdqc, will now encode more entropy per separator character and per word, increasing their default size from 42 to 47 bits. Substring matching will now partially discount rather than fully remove weak substrings, support leetspeak, and detect some common sequences of characters (sequential digits, letters in alphabetical order, adjacent keys on a keyboard). The passphrase strength checking code will now detect and allow passphrases with non-ASCII (8-bit) characters in the words. A number of optimizations have been made resulting in significant speedup of passwdqc_check() on real-world passwords. RPM packages can now be built out of the distribution tarballs.

We've setup a web page with screenshots demonstrating the uses and setup of passwdqc on Openwall GNU/*/Linux, as well as a wiki page with password strength policy considerations aimed at systems administrators deploying and configuring passwdqc.

We have also setup the passwdqc-users mailing list. Please use it to share your experience with passwdqc and ask questions. The subscription instructions are found right on the passwdqc homepage.

Social bookmarking buttons have been added to most pages on the Openwall website, as well as on the Wiki. Please use these to add your favorite Openwall web pages to your favorite social websites.

March 11, 2010
We've setup the Openwall file archive - a locally-hosted web-based archive with current and old revisions of Openwall software releases, user contributions, and other related files. Previously, this content was only available via FTP locally and from the mirrors.

New community wiki pages have been created on topics related to John the Ripper password cracker: How to retrieve and audit password hashes from remote Linux servers and Sample password hash encoding strings.

magnum has contributed a new MPI patch for John the Ripper, which supports parallelization of cracking modes other than "incremental". Older MPI patches were limited to just the "incremental" mode.

March 2, 2010
Erik Winkler has contributed Win32 and Mac OS X builds of John the Ripper 1.7.5 with revision 1 of the jumbo patch, which are now found on the contributed resources list for JtR.

The jumbo patch for JtR 1.7.5 has been updated to revision 2.

A wiki page on passwdqc (our password/passphrase strength checking and policy enforcement toolset) has been setup with pointers to user-created OS-specific instructions and packages of passwdqc.

February 26, 2010
John the Ripper version 1.7.5 is out, along with its corresponding jumbo patch update. This is yet another development version. There was no specific focus for this update, so a variety of minor enhancements were implemented (mostly in response to requests made, questions asked, and issues raised on the john-users mailing list lately).

February 25, 2010
The tcb suite has been updated further to version 1.0.5. The primary change since version 1.0.4 is the reduction of the .data section size and thus of on-disk size of some components by 256 KB when tcb is compiled against Linux 2.6 kernel headers.

February 24, 2010
There's a minor update of crypt_blowfish (version 1.0.4), our public domain password hashing framework for C/C++. In this version, the check for unsupported iteration counts has been corrected to reject certain iteration counts that would previously be misinterpreted. Also, section .note.GNU-stack has been added to the x86 assembly file to avoid the stack area unnecessarily being made executable on Linux systems that use this convention.

On a related note, a Python interface to crypt_blowfish by Daniel Holth has been added to the contributed resources list on the crypt_blowfish homepage.

February 19, 2010
Linux 2.4.37.9-ow1 is out.

February 14, 2010
Revision 3 of the jumbo patch for JtR 1.7.4.2 has been released, adding support for cracking NTLMv2 challenge/response exchanges (contributed by JoMo-Kun), as well as support for Oracle 11g SHA-1 based hashes (contributed by Alexandre Hamelin).

February 12, 2010
We've just released version 1.0.4 of our tcb suite (which implements the alternative password shadowing scheme on Owl). In this version, a non-security buffer overflow bug with more than NGROUPS_MAX groups per user has been fixed.

January 28, 2010
Fresh ISO images and pre-created OpenVZ container templates of Owl-current for x86 and x86-64 (generated today) are available on our FTP mirrors. There are also direct download links for the ISOs on the Owl homepage. The "make vztemplate" target has been added to the Owl build environment, making it easy for us and for Owl users to generate new OpenVZ container templates of the Owl userland. The 32-bit x86 userland is now being built for "i686" (Pentium Pro and above) by default. The packages of JtR, Nmap, and pciutils have been updated to new versions, libtool and gzip had minor security vulnerabilities fixed, and changes have been made to several other packages. Please refer to the change log for more detailed information on some of the changes.

Martin F. Krafft adopted the passwdqc Debian package and brought it up to date. Our password/passphrase strength checking and policy enforcement toolset now integrates nicely with PAM on Debian systems, and command-line utilities as well as the shared library providing the functionality will soon be available in separate packages.

January 19, 2010
John the Ripper version 1.7.4.2 is out, along with its corresponding jumbo patch update. This is another development version, and this time the focus was on performance improvements with very large password files or sets of files.

Support for "generic" MD5-based hashes (optionally salted or/and iterated) has been added to the jumbo patch (starting with 1.7.4-jumbo-2), due to code contributed by JimF.

December 25, 2009
John the Ripper 1.7.4 is out, along with its corresponding jumbo patch update. This is a development version focusing on many improvements to the word mangling rules engine.

November 23, 2009
Fresh ISO images of Owl-current for x86 and x86-64 (generated today) are available on our FTP mirrors. There are also direct download links on the Owl homepage. These ISOs represent a major development milestone. We have replaced the default kernel with a 2.6 OpenVZ one (featuring optional container-based virtualization), we've integrated OpenVZ tools (vzctl and vzquota packages needed to create, control, examine, and/or destroy OpenVZ containers), and we've dropped support for Linux 2.4 kernels (although they're still supported in the maintained Owl 2.0-stable branch). Besides various changes related to the new kernel and OpenVZ integration, we've updated vsftpd and diffstat to new upstream versions. Please refer to the announcement and the change log for more detailed information on the changes.

November 18, 2009
We've learned that passwdqc releases are now being packaged for NetBSD. (Many other OS distributions have been doing it for years.)

There's a new ISO image of Owl-current for 32-bit x86 (generated on November 17) available on our FTP mirrors. It uses Linux 2.4.37.7-ow1 as its default kernel.

Solar Designer has published some source code snippets and frameworks (mostly in C), which he placed in the public domain. Please feel free to reuse these in your programs.

November 17, 2009
We've just released passwdqc 1.1.4, which we declare the new stable release. The changes since 1.1.3 are mostly limited to minor code and manual pages markup cleanups (such as for proper formatting on OpenBSD).

November 15, 2009
Linux 2.4.37.7-ow1 is out.

October 26, 2009
Fresh ISO images of Owl-current for x86 and x86-64 (generated on October 25) are available on our FTP mirrors. There are also direct download links on the Owl homepage. These ISOs use Linux 2.4.37.6-ow1 as the kernel, and, compared to last month's ISO snapshots, they contain updated versions of many packages (vsftpd, iptables, passwdqc, cpio, e2fsprogs, strace, VIM, and xinetd).

October 25, 2009
Linux 2.4.37.6-ow1 is out. The 2.4.37.6 kernel fixes a number of information leak vulnerabilities. One of these was already fixed in 2.4.37.5-ow1, and the remaining ones may or may not affect specific systems depending on both kernel and userspace configuration.

October 24, 2009
We've just setup an unofficial mirror of http://www.packetfactory.net. We did this because the main Packetfactory site appeared to have gone down "permanently" (staying down for about a year), whereas much of its content was still valuable. The Packetfactory was hosting a number of networking and network security projects (with a focus on raw IP networking) and related publications. All of this content is now available on the mirror, although some of the projects (the actively maintained ones) have since moved elsewhere.

October 23, 2009
passwdqc 1.1.3 introduces an "official" and documented way to build and install all components but the PAM module on systems without PAM. At the same time, we've enhanced the "personal login information" check to consider the user's home directory path and name (in addition to the username and full name), made the code even more portable, and relaxed the license even further.

October 17, 2009
passwdqc, our password/passphrase strength checking toolset, has been updated further to version 1.1.2. The changes since 1.1.0 are mostly focused on restoring portability to non-Linux platforms (which we broke with the introduction of lots of new functionality between 1.0.5 and 1.1.0) and on improving the "protocol" used by the pwqcheck and pwqgen programs. (passwdqc 1.1.x are considered "development" versions, although this is primarily because of their potentially more limited out-of-the-box portability. The current "stable" version is pam_passwdqc 1.0.5, which readily supports Linux, FreeBSD, Solaris, and HP-UX. Additionally, there's a plugin password strength checker for OpenBSD.)

October 15, 2009
We have revised the online version of «IPv6: What, Why, How», a presentation by Jen Linkova aka Furry. Most notably, we've introduced an index page with small but legible images of the 60 slides. The slides are clickable for higher-resolution and "live" versions (with up-to-date IPv4 address space exhaustion data from external sources).

The presentation covers topics such as IPv4 address distribution and address space exhaustion, current approaches at conserving IPv4 address space usage, IPv6 as the solution, IPv6 address format, examples, and address types, interface ID and address (auto)configuration, privacy concerns, IPv6 packet header format (in comparison to IPv4), fragmentation, ICMPv6 (and how it replaces multiple IPv4 control protocols), Neighbor Discovery (ND) and how to secure it, IPv6 & DNS, migration from IPv4 (including dual-stack nodes, tunneling, and address translation), related security concerns, a summary of advantages of IPv6, common misconceptions around IPv6, and more.

October 12, 2009
We have turned our pam_passwdqc package (which was up to version 1.0.5) into a password/passphrase strength checking toolset called simply passwdqc (now at version 1.1.0). Specifically, we have introduced libpasswdqc (a password/passphrase strength checking library), pwqcheck (a standalone password/passphrase strength checking program), and pwqgen (a standalone random passphrase generator program), in addition to the PAM module, which is now built upon libpasswdqc. We have also added the config=FILE option to allow for specifying the password/passphrase policy in a configuration file rather than on the command-line. Finally, we've revised the documentation, including introduction of manual pages for the new components. All of this is mostly due to work by Dmitry V. Levin (some of it originally for ALT Linux).

September 27, 2009
Steven M. Christensen of Sunfreeware has contributed John the Ripper 1.7.3.4 packages for many versions of Solaris, both SPARC and x86, including both 32-bit and 64-bit builds. These are now linked from the contributed resources list on the John the Ripper homepage.

September 20, 2009
John the Ripper 1.7.3.4 has been released, along with an update of the jumbo patch to this new version. The changes made since 1.7.3.1 are intended primarily for use by packagers of JtR, such as for *BSD "ports" and Linux distributions. Since version 1.7.3.1 has existed for a year and proved to be reliable, and since the changes between 1.7.3.1 and 1.7.3.4 are so minor, 1.7.3.4 is being declared the new "stable" release.

There are fresh ISO images of Owl-current (for x86 and x86-64) available on our FTP mirrors. These were generated on September 17, and they contain the package updates and build environment enhancements that we made lately (new versions of m4, Linux-PAM, bison, ed, Postfix, ELinks, GnuPG, JtR; a new tri-state setting in the build environment to control whether the testsuites are to be run).

September 8, 2009
We've just released minor updates of our password hashing frameworks, crypt_blowfish 1.0.3 (C/C++) and phpass 0.2 (PHP). Additionally, Dmitry V. Levin has contributed a patch integrating crypt_blowfish into glibc 2.10.1, now linked from the crypt_blowfish homepage.

Erik Winkler has contributed Win32 and Mac OS X builds of John the Ripper 1.7.3.1 with revision 6 of the jumbo patch. These are now found on the contributed resources list on the John the Ripper homepage.

Many unofficial John the Ripper patches have been developed lately, including JimF's generic MD5-based hash support stuff found on the wiki, and generic crypt(3) support intended primarily as an interim solution for cracking the new glibc/Fedora/Ubuntu "SHA-crypt" hashes.

August 31, 2009
The jumbo patch for John the Ripper 1.7.3.1 has been updated to revision 6. The changes are limited to fixes of known bugs in revision 5 of the patch.

August 25, 2009
There are new ISO images of Owl-current (for x86 and x86-64) available on our FTP mirrors. These use the Linux 2.4.37.5-ow1 kernel, and they contain various package updates that we made lately.

August 23, 2009
Linux 2.4.37.5-ow1 is out. The 2.4.37.5 kernel adds a fix for the Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692), which was not exploitable into privilege escalation as long as the vm.mmap_min_addr restriction was enabled (the default setting with our patches). More importantly, Linux 2.4.37.5-ow1 adds a fix for the sigaltstack local information leak affecting 64-bit kernel builds (CVE-2009-2847).

August 3, 2009
Linux 2.4.37.4-ow1 is out. The 2.4.37.4 kernel integrates a replacement for the "personality" hardening measure introduced in 2.4.37.3-ow1.

July 20, 2009
Linux 2.4.37.3-ow1 is out. Besides being an update to the new kernel release, this revision of the patch introduces an additional security hardening measure where the kernel will no longer allow the "personality" feature (which is needed to support some program binaries from other operating systems) to be abused to bypass the vm.mmap_min_addr restriction via SUID-root programs with a certain class of design errors in them.

July 19, 2009
Nmap 5.00, a major new version of the Nmap Security Scanner, has been released earlier this week, and we got it into Owl-current (on the release day, in fact). We have also released a new ISO-9660 image of Owl-current, including Nmap 5.00 (with our usual changes for privilege reduction and with some post-release fixes) usable right off the live CD (as well as installable indeed), and more. Please see the full announcement here.

July 7, 2009
Linux 2.4.37.2-ow1 is out. This is merely an update to the new kernel version.

At the same time, a new ISO image of Owl-current is made available, including an OpenSSH security update, a man-pages update, and two new packages (pciutils and dmidecode), along with the kernel update.

July 6, 2009
PHP 5.3.0 has been released, integrating our crypt_blowfish code right into default builds of the PHP interpreter. This is good news for users of our PHP password hashing framework, phpass, because it means that the bcrypt hashes preferred by phpass will be portable across systems running PHP 5.3.0+ (as well as portable to some systems running older versions of PHP, like before), and that fallbacks to weaker hash types will never occur on PHP 5.3.0+ (unless forced by the programmer). PHP 5.3.0+ also integrates our revision of the FreeSec code from the glibc package on Owl, implementing DES-based hashes. All of this is due to work by Pierre Joye. Finally, PHP 5.3.0+ replaces the integrated implementation of MD5 with one from popa3d for slightly better performance (e.g., of the phpass "portable hashes", which are MD5-based).

June 5, 2009
We've just setup a web page with some Owl-current live CD screenshots.

May 27, 2009
There are new ISO-9660 images of Owl-current for x86 and x86-64 available for download from our FTP mirrors. A lot of packages have been significantly updated and some new ones have been added since the last ISO snapshot mentioned in a news item. The Linux kernel has been updated to 2.4.37.1-ow1.

May 24, 2009
Linux 2.4.37.1-ow1 is out. Linux 2.4.37.1, compared to 2.4.35-ow2, adds numerous security-relevant fixes to various kernel subsystems.

April 29, 2009
A standalone program to call the password complexity checking functions of pam_passwdqc (e.g., from a script) has been contributed by Wolfram Wagner and added to the contributed resources list on the pam_passwdqc homepage.

April 8, 2009
Version 1.0.3 of our tcb suite implementing the alternative password shadowing scheme has been released. The changes since tcb 1.0 are limited to minor bug and reliability fixes.

On a related note, tcb has been integrated into Mandriva Linux 2009, whereas pam_passwdqc has been integrated into DragonFly BSD 2.2+. This is in addition to many OS distributions that had integrated these pieces of software before.

March 27, 2009
The collection of PWDUMP tools has been updated. These tools can be used to obtain password hashes from Windows systems for password security auditing or password recovery.

March 18, 2009
We have just published «IPv6: What, Why, How», a presentation by Jen Linkova aka Furry.

September 16, 2008
As announced on john-users, the jumbo patch for John the Ripper 1.7.3.1 has been further updated, up to revision 4 now. This new revision adds support for HTTP Digest Access Authentication (by Romain Raboin), support for OpenLDAP SSHA password hashes (by bartavelle), and "Markov" cracking mode (also by bartavelle). It also corrects a couple of problems with revision 2 of the patch, which have been reported via the john-users mailing list.

August 25, 2008
As announced on john-users, the jumbo patch has been updated to John the Ripper version 1.7.3.1. Revision 2 of the patch for JtR 1.7.3.1 adds support for SAP passwords (by sap friend), support for NetScreen ScreenOS passwords (by Samuel Mońux), other contributed improvements, some generic improvements originally introduced in JtR Pro, and many bug and portability fixes (for issues seen with previous revisions of jumbo patches). Please refer to the announcement for more detail.

July 18, 2008
John the Ripper 1.7.3.1 (another "development" version) is out. This is a minor update, which corrects the x86 assembly files for building on Mac OS X and adds some generic changes from JtR Pro.

July 16, 2008
There's a beta version of John the Ripper Pro 1.7.3.1 for Mac OS X included with every new purchase (and free for everyone who has purchased the product in the past). Similarly to JtR Pro for Linux, besides the update to 1.7.3+, this version adds official support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes, and it includes native support for 64-bit capable Intel CPUs on Mac OS X 10.5+ (Leopard) within the Universal binary, which makes use of 64-bit mode extended SSE2. Also included is the brand new XPWDUMP tool, which dumps password hashes from Mac OS X systems for subsequent auditing/cracking. As a bonus, the full source code is also provided (it was not provided with 1.7.2 Pro for Mac OS X, the focus of which was on packaging, but with so many exciting new features, we're also being generous and we do share the revised and enhanced source code this time, including several added source files).

July 13, 2008
John the Ripper Pro 1.7.3 for Linux is out. Besides the update to 1.7.3 (and thus including all of the improvements of that version in a well-tested native package), new with this release is official support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes. Also included is a pre-built RPM package for 64-bit capable systems, which makes use of 64-bit mode extended SSE2. This is a free upgrade for everyone who has purchased the product in the past.

July 10, 2008
John the Ripper 1.7.3 (a "development" version) is out, focusing on better x86-64 support. Most notably, two Blowfish-based crypt(3) hashes may now be computed in parallel for much better performance on x86-64 CPUs, and new make targets have been added for Mac OS X 10.5+ (Leopard) and recent versions of Solaris on 64-bit capable x86 processors, producing 64-bit builds that make use of the 64-bit mode extended SSE2. As a bonus, "DumbForce" and "KnownForce" external mode samples have been added to the default john.conf.

June 8, 2008
A patched version of mod_auth_mysql with support for phpass portable hashes has been added to the contributed resources list on the phpass homepage. This was indirectly contributed by Nikolay.

May 2, 2008
We've just setup the Openwall community wiki. The idea is to have a wiki "namespace" for each of our major projects, maybe resembling the structure of the main Openwall website - e.g., we have namespaces for Owl and John the Ripper. Users of our software and Openwall team members can populate those namespaces with relevant content. If you have something relevant to share, please register for a wiki account and edit away!

April 21, 2008
Revision 12 of the jumbo patch for John the Ripper 1.7.2 is out, adding support for HMAC-MD5 (by bartavelle), LMv2 challenge/response (by JoMo-Kun), half-of-LM-response (by Dhirendra Singh Kholia), EPiServer SID hashes (by Johannes Gumbel), and md5(md5($password) . $salt) as commonly used in PHP applications (by Albert Veli). This revision also includes a much faster implementation of old MySQL hashes (by Balázs Bucsay and Péter Kasza).

April 12, 2008
Solar Designer of Openwall has participated in an IBM-organized Global Innovation Outlook (GIO) "deep dive" on Security and Society (a day long brainstorming session, with only short coffee breaks and a lunch break). This dive was held on April 10 (with a welcome dinner the day before) in a fine 5-star hotel in the heart of Moscow. Five more dives on the topic are to follow in other cities around the world, then IBM is to publish a report. Meanwhile, you can find reports on past GIO topics on the IBM website, as well as read and comment on the GIO blog (maintained by Dan Briody).

We have joined the oCERT project (the Open Source Computer Emergency Response Team), in two ways: Solar Designer serves on the advisory board of oCERT (since February), and Openwall is a registered public member of oCERT such that we can be sure to receive notification of vulnerabilities pertaining to our software (and, far more likely, to third-party software that we redistribute as part of Openwall GNU/*/Linux) that will be handled via oCERT. Other Open Source projects are welcome to register with oCERT, too.

April 3, 2008
A cut-down and reworked version of our PHP password hashing framework (phpass) has been integrated into development versions of Drupal leading to the upcoming Drupal 7 release. There's also a module for Drupal 5 & 6 that makes the original phpass available with those versions of Drupal. More information is available on the phpass homepage.

March 1, 2008
A couple of weeks ago, we have setup the Open Source Software Security (oss-security) Wiki, which is the counterpart to the oss-security mailing list, and we have the initial content in place by now. Both the wiki and the mailing list are a product of cooperation amongst various Open Source software vendors, projects, and researchers. The purpose of the oss-security group is to encourage public discussion of security flaws, concepts, and practices in the Open Source community.

February 17, 2008
Archives of two Openwall-hosted community mailing lists, oss-security and xvendor, are now available on this website.
oss-security is a new discussion and collaboration mailing list for people involved with Open Source projects who care about security. xvendor is a very low volume list for information exchange between Unix-like OS distribution vendors (mostly Linux), and it has existed since 2002.

February 13, 2008
A new minor release of pam_passwdqc - version 1.0.5 - is out. In this version, the separator characters (used for randomly generated "passphrases") have been replaced with some of those defined by RFC 3986 as being safe within "userinfo" part of URLs without encoding, the default minimum length for passphrases has been reduced from 12 to 11 characters, and corrections to the documentation have been made.

February 12, 2008
Alexander Chemeris has contributed a Python module port of phpass 0.1, allowing for phpass portable hashes to be checked from Python applications. The module is linked from the contributed resources list on the phpass homepage.

December 15, 2007
Three popular web applications - phpBB3 (3.0.0 release), WordPress, and bbPress (current development versions) - have integrated our PHP password hashing framework (phpass) to provide more secure "storage" of users' passwords (of course, the passwords are not actually stored; the hashes are). Additionally, there's a module for Drupal 5 and patches for various development versions of Drupal to make use of phpass. The links for these can be found at the bottom of the phpass homepage.

November 14, 2007
Revision 9 of the jumbo patch for John the Ripper 1.7.2 is out, adding support for MySQL 4.1+ hashes based on SHA-1 (by Marti Raudsepp) and for Oracle hashes based on DES (by Simon Marechal). This revision also improves the performance at Mac OS X 10.4+ salted SHA-1 hashes for the multi-salt case.

October 30, 2007
Revision 8 of the jumbo patch for John the Ripper 1.7.2 is out. This revision adds support for Mac OS X 10.4+ salted SHA-1 hashes, as well as for two MS SQL hash types.

August 14, 2007
Linux 2.4.35-ow2 is out, including a fix for the parent process death signal vulnerability in the Linux kernel and two new security hardening features.

August 7, 2007
Linux 2.4.35-ow1 is out.

June 6, 2007
There's a new ISO-9660 image of Owl-current. The following packages have been significantly updated since the last ISO snapshot (January 9, 2007): PCRE, strace, BIND, OpenSSL, GnuPG, lftp, ELinks, file, Mutt, owl-cdrom. New with this ISO is support for booting off SATA and USB CD-ROM drives, in addition to IDE and SCSI ones (which were supported previously). (Obviously, not all SATA and SCSI controllers are supported, but the goal is to include support for common ones.)

JoMo-Kun has contributed a patch to add support for cracking of sniffed LM/NTLMv1 challenge/response exchanges to John the Ripper. The patch is now listed on John the Ripper homepage and it is part of the latest revision of the jumbo patch for John the Ripper 1.7.2.

March 20, 2007
Alain Espinosa's NTLM (MD4-based) hashes support patch for John the Ripper has been further updated to include optional SSE2 code for x86 and x86-64, resulting in even better performance.

March 4, 2007
John the Ripper Pro is now available for Mac OS X on both PowerPC and Intel Macs, making use of AltiVec and SSE2 acceleration, respectively.

February 25, 2007
The NTLM (MD4-based) and Windows credentials cache hashes support patches for John the Ripper linked from the contributed resources list on the John the Ripper homepage have been replaced with much faster (yet portable) implementations contributed by Alain Espinosa.

January 13, 2007
The Owl build environment has been enhanced to automate the generation of ISO-9660 images of Owl bootable CDs. This should enable us to put out updated ISOs of Owl-current more often, and we have just made one available under /pub/Owl/current/iso on the FTP mirrors. The following packages have been significantly updated since the 2.0 release, listed in order of first change: tar, bash, coreutils, sed, iptables, John the Ripper, Nmap, GnuPG, Postfix, setarch, netlist, gettext, db4, lftp, vixie-cron, Perl, acct, readline, chkconfig, vsftpd, BIND, bison, libtool, make, Linux-PAM, e2fsprogs, which, automake, patchutils, hdparm, Mutt, OpenSSL, gpm, gzip, the DHCP suite, OpenSSH, screen, texinfo, RPM, the installer (owl-setup), and the Linux kernel. The following new packages have been added: smartmontools and mkisofs. Additionally, with the updated build environment (that is part of Owl as released to the public), Owl users will be able to generate their own Owl ISOs.

December 27, 2006
Linux 2.4.34-ow1 is out.

October 29, 2006
We're starting to make available contributed Owl packages under /pub/Owl/contrib on the FTP mirrors. So far, 60+ packages for Owl 2.0 and 2.0-stable have been contributed by op5 AB. Please note that none of these packages are officially supported by the Openwall team. At the same time, the directory /pub/Owl/current/unofficial is retired (removed from the FTP mirrors).

The most recent Owl-current binary packages for SPARC architecture have been made available under /pub/Owl/current/sparc on the FTP mirrors. (Previously, only Owl 2.0 release and older packages were available pre-built for SPARC.)

September 8, 2006
There's an updated version of our portable PHP password hashing framework. The framework test program has been enhanced in numerous ways and a minor bug (that had no practical impact) in the framework itself has been fixed.

August 16, 2006
Linux 2.4.33-ow1 is out.

July 2, 2006
We've setup local web-based archives of Openwall mailing lists.

May 27, 2006
We have started making and maintaining commercial releases of John the Ripper, known as John the Ripper Pro.

John the Ripper Pro builds upon the free John the Ripper to deliver a commercial product better tailored for specific operating systems. It is distributed primarily in the form of "native" packages for the target operating systems.

May 23, 2006
New versions of popa3d (1.0.2) and crypt_blowfish (1.0.2) have been released adding minor optimizations specific to x86-64.

May 21, 2006
John the Ripper 1.7.2 ("development") adds bitslice DES code for x86-64 making use of the 64-bit mode extended SSE2 with 16 XMM registers.

May 11, 2006
John the Ripper 1.7.1 ("development") has been released including bitslice DES code for x86 with SSE2 for better performance at DES-based crypt(3) hashes on Pentium 4 and SSE2-capable AMD processors, as well as assorted high-level changes to improve performance on current x86-64 processors.

April 24, 2006
The SecurityFocus interview with Solar Designer on John the Ripper 1.7 is now available off the Openwall website.

April 23, 2006
Owl has been ported to the x86-64 architecture. The latest Owl-current binary packages for x86-64 have been made available under /pub/Owl/current/x86_64 on the FTP mirrors. Currently, these packages have to be installed off a system that is already running an x86-64 build of the Linux kernel. We're planning to create and make available a bootable CD image for x86-64 a bit later.

March 25, 2006
The Owl 2.0-stable branch will now be made available on the FTP mirrors. The changes since Owl 2.0 so far include security and bug fix updates to tar, GnuPG, and John the Ripper.

March 23, 2006
It is now possible to purchase a download of a compressed ISO image of our wordlists collection CD instead of placing an order for the physical CD. This may be preferable if you would like to gain access to the entire CD content immediately or if it is inconvenient for you to receive the CD by mail.

John the Ripper 1.7.0.2 is out adding a fix for a long-standing bug in the rule preprocessor which caused some duplicate characters to not be omitted on 64-bit platforms.

The contributed netlist program listed on the Openwall Linux kernel patch homepage has been updated to version 2.1, featuring support for Linux 2.6.x kernels and better performance. netlist is a tool for users to list their own active Internet connections and sockets, especially when access to the /proc filesystem is restricted.

March 10, 2006
There's a new "stable" version of John the Ripper (1.7.0.1). Changes made since the 1.7 release are limited to minor bug and portability fixes, better handling of certain uncommon scenarios and improper uses of John, and the addition of a "keyboard cracker" to the default john.conf (john.ini) that will try sequences of adjacent keys on a keyboard as passwords.

Also made available today are minor updates to popa3d (1.0.1), scanlogd (2.2.6), and crypt_blowfish (1.0.1) needed for compiling with glibc 2.3.90+ C header files (no CLK_TCK).

February 23, 2006
SecurityFocus has published an interview with Solar Designer on John the Ripper 1.7. Federico Biancuzzi interviews Solar Designer, creator of the popular John the Ripper password cracker. Solar Designer discusses what's new in version 1.7, the advantages of popular cryptographic hashes, the relative speed at which many passwords can now be cracked, and how one can choose strong passphrases (forget passwords) that are harder to break.

The contributed resources list on John the Ripper homepage has been updated to include a jumbo patch for version 1.7 and a package of 1.7 with the jumbo patch applied pre-compiled for Win32. The jumbo patch enables processing of many password hash types and ciphers that are not supported by the official JtR.

February 15, 2006
After many public Owl-current snapshots, Openwall GNU/*/Linux 2.0 is finally out. Owl 2.0 is available for purchase on a CD as well as for download off the mirrors. The major changes made since 1.1 are documented.

Owl 2.0 is built around Linux kernel 2.4.32-ow1, glibc 2.3.6 (with our security enhancements), gcc 3.4.5, and recent versions of over 100 other packages. It offers binary- and package-level compatibility for most packages intended for Red Hat Enterprise Linux 4 (RHEL4) and Fedora Core 3 (FC3), as well as for many FC4 packages.

January 26, 2006
The long-awaited John the Ripper 1.7 release is out. The changes made since the last development snapshot (1.6.40) are minor (it's primarily the availability of official Win32 and DOS builds, in addition to the source code for Unix systems), however the changes made since 1.6 are substantial.

January 22, 2006
There's a new ISO-9660 image of Owl-current. The following packages have been significantly updated since the last ISO snapshot (December 8, 2005): man-pages (including the addition of POSIX man pages), Postfix, John the Ripper, VIM, libnet, libnids, chkconfig, db4, gcc, man, hdparm, diffstat, tcb, Linux-PAM, dialog, glibc, bash, Nmap, libutempter, strace, and the installer (owl-setup).

January 15, 2006
A new version of pam_mktemp (1.0.2) is out. pam_mktemp can now be compiled on systems with Linux 2.6.x kernel headers (as well as with older kernel versions).

January 5, 2006
Damien Miller has developed and contributed a plugin password strength checker for OpenBSD based on pam_passwdqc. This plugin is now linked from the contributed resources list on the pam_passwdqc web page.

January 3, 2006
The first "mature" version of our password hashing package, crypt_blowfish 1.0, is out.

This version corrects a bug in the way salts for extended DES-based and for MD5-based password hashes are generated with the crypt_gensalt*() family of functions (thanks to Marko Kreen for discovering and reporting this). The bug would result in a higher than expected number of matching salts with large numbers of password hashes of the affected types. crypt_gensalt*()'s functionality for Blowfish-based (bcrypt) hashes that crypt_blowfish itself implements and for traditional DES-based crypt(3) hashes was not affected.

December 29, 2005
The tcb suite implementing our alternative password shadowing scheme became mature enough for its 1.0 release. New with this release are support for OpenPAM (on Linux) and support for the new interfaces provided by Linux-PAM 0.99.1.0 and above. Older versions of Linux-PAM continue to be supported, too.

December 24, 2005
The most recent Owl-current binary packages for Alpha architecture (EV56 and above) have been made available under /pub/Owl/current/alphaev56 on the FTP mirrors. (Previously, only Owl 1.1 release packages were available pre-built for Alpha.)

December 17, 2005
A new development version of John the Ripper (1.6.40) is out, including updated charset files, password.lst (the common passwords list), and a new pre-defined "incremental" mode "Alnum" (for alphanumeric). Many enhancements to the code have been made, including to the handling of hex-encoded hashes (such as LM hashes), the Makefile, the "p" (pluralize) wordlist rules command, unafs, and charset files handling. A few bugs have been fixed, too.

December 9, 2005
There's a new ISO-9660 image of Owl-current. The following components have been significantly updated since the last ISO snapshot (September 13, 2005): util-linux, findutils, CVS, tcsh, OpenSSL, RPM, elfutils-libelf, SILO, setarch (replaces sparc32), kbd, LILO, m4, net-tools, coreutils, zlib, strace, file, SysVinit, modutils, Linux-PAM, procmail, Postfix, Nmap, glibc, sed, patch, quota, tar, traceroute, grep, cpio, libpcap, GnuPG, vsftpd, Perl, the installer (owl-setup), and the Linux kernel. The following new packages have been added: CDK, BIND, OpenNTPD, tinycdb, PCRE, indent.

December 7, 2005
Additional contributed patches are now listed on John the Ripper homepage, adding support for Post.Office MD5-based hashes and Lotus Domino salted hashes.

November 26, 2005
Linux 2.4.32-ow1 is out.

November 8, 2005
The most recent Owl-current binary packages for SPARC architecture have been made available under /pub/Owl/current/sparc on the FTP mirrors. (Previously, only Owl 1.1 release packages were available pre-built for SPARC.)

September 13, 2005
A new development version of John the Ripper (1.6.39) is out, including the updated documentation and more.

There's a new ISO-9660 image of Owl-current featuring an initial version of our new installer. Other packages significantly updated since the last ISO snapshot (July 3, 2005) include: LILO, OpenSSH, mtree, strace, Postfix, sysklogd, libutempter, Linux-PAM, SimplePAMApps, tcb, procps, and John the Ripper.

September 6, 2005
All of John the Ripper documentation has been updated to reflect changes made in the latest development versions. The updated documentation can now be browsed online.

July 14, 2005
We've setup a web page dedicated to Silence on the Wire, Michal Zalewski's excellent book.

July 3, 2005
A new ISO-9660 image of Owl-current has been made available via the FTP mirrors.

June 3, 2005
Linux 2.4.31-ow1 is out.

May 30, 2005
We're making public the initial version of our portable PHP password hashing framework for use in your PHP applications.

May 26, 2005
popa3d 1.0 is out. The changes since the previous release (0.6.4.1) are minimal.

May 12, 2005
Linux 2.4.30-ow3 is out, adding a fix to the ELF core dump vulnerability discovered by Paul Starzetz and more.

May 11, 2005
A new development version of John the Ripper (1.6.38) is out, featuring official AltiVec support (on Mac OS X and Linux/PPC) and better performance at LM hashes (on most modern systems).

April 22, 2005
Many brilliant buttons (80x15, 80x29) are now available for links to the Openwall GNU/*/Linux (Owl) homepage off your blogs and such. This is in addition to the usual microbuttons (88x31). If you're running Owl on a webserver, please do remember to link back to us thereby supporting future development of Owl. In fact, even if you're not running Owl, you're still welcome to link to us, provided that you use other than the "powered" buttons.

April 19, 2005
Three of our PAM modules became mature enough for their 1.0 releases. These are pam_passwdqc, pam_userpass, and pam_mktemp. All three have existed since Y2K and are part of several OS distributions.

April 16, 2005
We're making available unofficial/unsupported packages for use of Owl-current on a workstation. These packages can be found under /pub/Owl/current/unofficial on the FTP mirrors. Included are unofficial rebuilds of some Fedora Rawhide packages: X.org X11, Blackbox, WindowMaker, Firefox; GTK 2 and other X and graphics libraries; Python, tcl, tk, tix; various small packages. Also included are OpenOffice.org packages which are known to install and work on Owl-current with the Fedora packages already installed.

Please note that Owl is intended for use on servers only. Its use on a workstation will likely only make sense for Owl developers and contributors who might want to test cutting-edge Owl updates on their immediate computers. Read the full announcement here.

April 8, 2005
Linux 2.4.30-ow1 is out.

March 6, 2005
A new ISO-9660 image of Owl-current has been made available via the FTP mirrors.

January 20, 2005
Linux 2.4.29-ow1 is out. Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes.

Owl-current has been updated to GCC 3.4.3 and glibc 2.3.3+. Please refer to the change log for information on this and other recent updates.

November 26, 2004
The contributed resources list on John the Ripper homepage has been revised, adding patches which provide support for cracking Kerberos v5 TGTs, Netscape LDAP SSHA (salted), Apache MD5-based "apr1", and raw MD5 (hex-encoded) hashes, and a patch for taking advantage of PowerPC w/ AltiVec (128-bit) under Mac OS X for much better performance at DES-based hashes.

November 20, 2004
Linux 2.4.28-ow1 is out. Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs.

November 3, 2004
After more than two months of active development, we're pleased to make available a new snapshot of Owl-current based around newer versions of glibc and RPM. Many other updates to Owl packages, build environment, and documentation have been made as well, please refer to the change log for information on the more important ones. This update will permit for installation of packages from or intended for newer versions of Red Hat Linux, including commercial/closed-source ones, on Owl.

August 14, 2004
Linux 2.4.27-ow1 is out.

August 4, 2004
Linux 2.4.26-ow3 is out. This corrects the access control check in the Linux kernel which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files (CAN-2004-0497) and adds a workaround for the file offset pointer races discovered by Paul Starzetz (CAN-2004-0415).

June 19, 2004
Linux 2.4.26-ow2 is out. This update fixes multiple security-related bugs in the Linux kernel (those discovered by Al Viro using "Sparse", fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some others) as well as two non-security bugs in the patch itself. Please refer to the announcement for detailed information on the changes.

June 6, 2004
We've setup a CVSweb server which provides convenient access to the entire Openwall GNU/*/Linux (Owl) CVS tree including source code for Owl and consequently also for most other pieces of Openwall software which are now maintained as part of Owl but are also made available separately. The CVSweb server allows the more experienced users and other software developers to easily browse through revision history and compare different versions of any source file that we've been working on.

June 3, 2004
There's a new version of the port scan detection tool, scanlogd 2.2.4. This has many minor code cleanups and enhancements, and includes RPM spec file and startup script directly usable on Red Hat Linux and on other compatible distributions.

April 26, 2004
A new version of the password hashing package, crypt_blowfish 0.4.6, has been released. This adds a patch for easy integration of crypt_blowfish into glibc versions 2.2 through 2.3.2 (as well as 2.1 through 2.1.3 which were supported previously). Other minor updates are included as well.

April 17, 2004
Linux 2.4.26-ow1 and 2.0.40-ow1 are out.

April 15, 2004
The Owl 1.1-stable branch will now be made available on the FTP mirrors.

March 1, 2004
Linux 2.2.26-ow1 is out.

February 23, 2004
There's a new development version of John the Ripper (1.6.37) which adds support for Linux/x86-64 (both 32-bit with MMX and native 64-bit) and OpenBSD/x86 with ELF binaries (previously only older versions of OpenBSD which still used a.out binaries were fully supported).

February 21, 2004
Linux 2.2.25-ow2 is out and includes workarounds and fixes for several Linux kernel vulnerabilities. Upgrading of existing Linux 2.2.x installs is strongly recommended.

February 20, 2004
Linux 2.4.25-ow1 is out. Upgrading of existing 2.4.23-ow2 and 2.4.24-ow1 installs is not strictly required for most users.

January 8, 2004
Linux 2.4.24-ow1 is out. Upgrading of existing 2.4.23-ow2 installs is not required.

January 5, 2004
Linux 2.4.23-ow2 is out and adds fixes for two Linux kernel vulnerabilities.

Owl 1.1 is now available for download (as well as for purchase on a CD). Owl 1.1 already includes Linux 2.4.23-ow2 as the kernel.

December 22, 2003
After another year of development and many public Owl-current snapshots, Openwall GNU/*/Linux (Owl) release 1.1 is finally out. Owl 1.1 is currently available for purchase on a CD and will also be made available for download in January. The major changes made since 1.0 are documented.

November 29, 2003
Linux 2.4.23-ow1 is out.

November 2, 2003
New versions of the PAM modules are available, including pam_passwdqc 0.7.5. pam_passwdqc will now assume invocation by root only if both the UID is 0 and the PAM service name is "passwd"; this should fix changing expired passwords on Solaris and HP-UX and make "enforce=users" safe. The proper English explanations of requirements for strong passwords will now be generated for a wider variety of possible settings.

October 10, 2003
An extensive wordlists collection with wordlists for 20+ human languages and lists of common passwords is now available for download or purchase on a CD.

September 15, 2003
There's a new development version of John the Ripper featuring an event logging framework. John now logs how it proceeds through stages of each of its cracking modes.

August 28, 2003
Linux 2.4.22-ow1 is out.

July 6, 2003
Linux 2.4.21-ow2 is out and adds fixes for two Linux kernel vulnerabilities recently discovered by Paul Starzetz.

June 15, 2003
Linux 2.4.21-ow1 is out.

April 27, 2003
msulogin is now available separately from Owl. msulogin is an implementation of sulogin single user mode login program which adds support for having multiple root accounts on a system.

March 20, 2003
Linux 2.2.25-ow1 is out.

March 10, 2003
popa3d 0.6.2 corrects the rate limiting of a log message (problem spotted by Michael Tokarev) and provides documentation updates, including a change log to which you can refer for more detailed information on the changes.

March 4, 2003
popa3d 0.6.1 adds version identification (popa3d -V) and more correct logging of abnormally terminated POP3 sessions.

February 22, 2003
There's a new stable release of popa3d, version 0.6. Changes since the last stable release (0.5.1) are limited to bug, correctness, and interoperability fixes (this includes a workaround for an Outlook Express client bug which would show up on body-less messages).

February 9, 2003
We're making public the updated Openwall GNU/*/Linux presentation slides as used at FOSDEM, the third Free and Open source Software Developers' European Meeting, on February 8-9, in Brussels, Belgium. There's also the pre-FOSDEM interview with Solar Designer available on the conference website.

January 11, 2003
The PAM modules and the tcb suite that were originally developed for Owl are now also conveniently linked from this website.

December 16, 2002
A popa3d Maildir support patch has been added to the contributed patches list on the popa3d homepage.

December 5, 2002
Linux 2.2.23-ow1 is out.

It is now possible to run John the Ripper on OpenVMS (both Alpha and VAX) targeting any of the supported hash types, and to crack OpenVMS passwords (SYSUAF.DAT) when running on any of the supported platforms, due to patches and VMS executables contributed by Jean-loup Gailly.

November 27, 2002
Linux 2.2.22-ow2 improves the "lcall" DoS fix for the Linux kernel to cover the NT (Nested Task) flag attack discovered by Christophe Devine.

November 14, 2002
BIND 4.9.10-OW2 includes the patch provided by ISC for the recently discovered vulnerabilities in BIND 4 and 8.

October 15, 2002
After over a year of development and many public Owl-current snapshots, Owl 1.0 is finally out.

October 7, 2002
A Russian translation of the Owl documentation and web pages is available.

October 1, 2002
BIND 4.9.10 and 4.9.10-OW1 have been released and fix a read beyond end of buffer vulnerability in the resolver library. The impact is believed to be very minor (if any). The DNS server itself (named) is unaffected.

September 17, 2002
Linux 2.2.22-ow1 is out.

September 10, 2002
Linux 2.2.21-ow2 includes many security fixes for issues with the Linux kernel discovered during code reviews by Silvio Cesare, Solar Designer, and others.

August 30, 2002
It is now possible to order Owl on a CD.

July 31, 2002
A new version of the password strength checking PAM module pam_passwdqc 0.6 has been released and offers support for HP-UX 11 (in addition to Linux, FreeBSD, and Solaris) and a pam_passwdqc(8) manual page (imported back from FreeBSD).

June 29, 2002
Updated BIND 4.9.x patches have been released to correct the recently discovered vulnerability in the resolver library code included with BIND.

May 3, 2002
We're making public the updated Openwall GNU/*/Linux presentation slides as used at CanSecWest/core02 information security conference on May 1-3, in Vancouver, Canada.

April 18, 2002
New versions of pam_passwdqc, the password strength checking PAM module, and popa3d, the POP3 server, are available. pam_passwdqc 0.5 adds support for OpenPAM as found on FreeBSD-current, thanks to Dag-Erling Smorgrav. It also became part of FreeBSD. popa3d 0.5.1 changes the way unique IDs are generated.

March 3, 2002
Linux 2.2.20-ow2 fixes an x86-specific vulnerability in the Linux kernel discovered by Stephan Springl where local users could abuse a binary compatibility interface (lcall) to kill processes not belonging to them (including system processes).

February 27, 2002
We're making public our NordU2002 presentation slides on Openwall GNU/*/Linux and on SSH Traffic Analysis (which is just an updated version of the HAL2001 presentation).

November 4, 2001
pam_passwdqc version 0.4 has been released. This version adds support for Solaris with native pam_unix.

November 3, 2001
Linux 2.2.20-ow1 has been released.

October 28, 2001
There's a new stable release of popa3d, version 0.5. This has all of the features added in post-0.4 development versions plus a man page.

October 18, 2001
Linux 2.2.19-ow3 fixes two Linux kernel vulnerabilities discovered by Rafal Wojtczuk. Please refer to the Owl change log for information on the vulnerabilities and how they affect Owl. Of the two newly discovered vulnerabilities, Linux 2.0.39-ow3 is only affected by the DoS.

September 11, 2001
popa3d 0.4.9.4 fixes two bugs introduced with recent development versions (oops). Please update.

September 8, 2001
popa3d 0.4.9.3 now runs parts of its code in a chroot jail. It also adds certain bits of functionality that previously were missing or available as third-party patches only. Please test and report any problems you might have with this development version, especially on less common platforms, as popa3d is approaching a stable release.

August 22, 2001
We're making available our HAL2001 presentation slides on SSH traffic analysis.

August 6, 2001
We've updated our security advisory on Passive Analysis of SSH (Secure Shell) Traffic with additional vendor fix information for TTSSH and for affected Cisco products. The updated advisory includes a bugfixed and improved version of SSHOW, the tiny SSH traffic analysis tool we use to demonstrate the attacks.

June 29, 2001
We've started maintaining a stable branch of Owl, based on Owl 0.1-prerelease. This branch will have all significant reliability and security fixes necessary to use Owl in production - even before its feature set is complete for it to be called 1.0. Another recent addition is the OpenBSD-like change logs for both the current and the stable branch.

June 20, 2001
popa3d 0.4.9.1 has been released. The license for the entire package has been relaxed, and popa3d should be smaller and more portable now. This is due to the new MD5 routines.

May 28, 2001
popa3d 0.4.9 is available for testing. Expect a new stable release soon.

May 12, 2001
After months of development we're making public a prerelease of Owl, our security-enhanced server platform with Linux and GNU software as its core.

May 10, 2001
A new version of the password hashing package, crypt_blowfish 0.4, has been released. It adds two functions and a manual page describing the programming interfaces, including on systems based on the GNU C Library with crypt_blowfish patched into libcrypt.

April 19, 2001
A new development version of John the Ripper (1.6.24-dev) adds a cracker for passwords you might have generated with Strip 0.5. The cracker is implemented in john.conf as an "external mode" and will try all passwords Strip could generate with all possible settings. Other uses of Strip are unaffected. The cracker is based on analysis by Thomas Roessler and Ian Goldberg.

March 26, 2001
Linux 2.2.19-ow1 and 2.0.39-ow3 have been released. Please upgrade to at least one of these versions of the kernel/patch as Linux 2.2.19 is an important security update.

March 19, 2001
We've just published a security advisory entitled Passive Analysis of SSH (Secure Shell) Traffic. This advisory demonstrates several weaknesses in implementations of SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions. Fix information, patches to reduce the impact of traffic analysis, and a tool to demonstrate the attacks are provided.

February 9, 2001
Updated Linux kernel patches have been released, which include fixes for the two recently announced Linux kernel vulnerabilities, both of which can result in a local root compromise.

January 29, 2001
Updated BIND 4.9.x patches have been released, which include fixes for the recently discovered BIND vulnerabilities.

Quick Comment:

385933