Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20080528011510.GA21563@openwall.com>
Date: Wed, 28 May 2008 05:15:10 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: 15 characters

On Tue, May 27, 2008 at 08:28:28PM -0400, bofh wrote:
> Any ideas what
> 
> A-Z
> a-z
> 0-9
> !@...^*()
> 
> would take at 10 and 12 characters?

Can't you do some math on your own?

Anyway, at 10M c/s, your 71 different characters at lengths up to 10
will take over 10 thousand years.  Average time to get a password hash
cracked by naive brute-force search may be on the order of 5-6 thousand
years.  This is why you just should not go for that approach for these
character sets and lengths.

> How difficult would that be to implement?

It's trivial.  Just take the DumbForce external mode from the posting I
referred to and modify init() accordingly.

> I'm not really looking at cracking an entire password file, I'm
> more of looking at a proving a point to some business folks.

You should look for a different way to prove it - not by going for
exhaustive search over a certain character set and range of lengths.
Perhaps there are plenty of weak passwords, despite of their length.

JtR is not supposed to crack every single password in a reasonable
amount of time.  This is why it makes sense to detect and eliminate weak
passwords.

Also, you've never mentioned the hash type you're dealing with, although
it is very relevant and might affect my advice.

Alexander

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.