Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAOersQrd3AQGrMUOnxhtnmwfR1qanRt0pE8pcZL3XxGc5x5K2Q@mail.gmail.com>
Date: Wed, 5 Sep 2018 09:43:11 +0100
From: Lee Hutton <leehutton1983@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Questions regarding WPA Password audit

Hi Johnny,

For my own audits I use something very similar (uk based but run wordlists
of most European countries due to my work) to check the integrity of a
password, ide say that your measures would constitute a medium/strong
password if all attempts thus far have failed to return a positive result.

A lot of the time a passwords strength for me is also determined by the
company/organisation I’m auditing. If it’s a tech orientated company (or a
large well know corporation) then I push for a top end password strength
due to the nature of the business, for lesser known company’s or little to
no tech relation then a medium password suffices.

Hope this is of help

Lee Hutton

On Wed, 5 Sep 2018 at 09:34, JohnyKrekan <krekan@...nykrekan.com> wrote:

> Hello, I would like to ask questions regarding WPA password strength audit.
> 1. What steps or how many password you would try against a single WPA-PSK
> hash to mark this hash "strong enough" when your search will not find the
> right one.
> my test consist of following steps:
> 1. All 8+ words from lcommon languages.
> 2. Two well known WPA wordlists which can be downloaded as torrent (approx
> 13 gb in size - see
> https://forums.hak5.org/topic/29308-13gb-44gb-compressed-wpa-wpa2-word-list-982963904-words/
> 3. All 8 digit numbers (I have found that many routers use 8 digit decimal
> numbers)
> 4. Slovakian (my nation) wordlist using password mutation rules (like
> adding numbers, changing cases, also I use those rules on common English
> wordlist...)
> The mentioned rules are generating about 600 derived password from each
> word.
> After passing these steps with no success, the password is considered "not
> so weak".
> Questions:
> 1. What other steps would you recommend to add to this password audit
> process?
> 2. Have you encountered that 8 or 10 character hexadecimal numbers are
> used as WPA passwords? If yes what is the character case? Small or capital?
> Thanx for any suggestions.
> Johny Krekan

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.