Openwall Project
bringing security into open environments
Software you can find here:
These (and a few other) packages are also available via FTP from
ftp.openwall.com and its
mirrors.
You are encouraged to use the mirrors, but be sure to verify the
signatures on software you download.
The more experienced users and software developers may use our
CVSweb server
to browse through the source code for most pieces of Openwall software
along with revision history information for each source file.
We publish security advisories,
do presentations,
offer a number of services, and
accept donations.
We also maintain a
wordlists collection
for use with password crackers such as
John the Ripper
and with password recovery utilities,
and a collection of pointers to
password recovery resources on the Net.
Finally, we host
community resources
such as
mailing lists and
wiki
for users of Openwall software
and for other Open Source and computer security folks.
If you would like to be notified of updates to this website and the packages
hosted here, you can subscribe to the announcement mailing list
by sending an empty message to
<announce-subscribe at lists.openwall.com> or entering your
e-mail address below.
You will be required to confirm your subscription by "replying"
to the automated confirmation request that will be sent to you.
You will be able to unsubscribe at any time and we will not use your e-mail
address for any other purposes or share it with a third party.
The list traffic is very low (1-2 messages a month).
You may review past announcements here.
May 24, 2009
Linux 2.4.37.1-ow1 is out.
Linux 2.4.37.1, compared to 2.4.35-ow2,
adds numerous security-relevant fixes to various kernel subsystems.
April 29, 2009
A standalone program to call the password complexity checking functions of
pam_passwdqc (e.g., from a script) has been
contributed by Wolfram Wagner and added to the contributed resources list
on the
pam_passwdqc homepage.
March 27, 2009
The collection of
PWDUMP tools
has been updated.
These tools can be used to obtain password hashes from Windows systems
for password security auditing or password recovery.
PDFCrack, a free and Open Source command-line tool,
has been added to the web page on
PDF password crackers.
March 18, 2009
We have just published
"
IPv6: What, Why, How",
a presentation by Jen Linkova aka Furry.
August 25, 2008
As
announced on john-users,
the jumbo patch has been updated to
John the Ripper version 1.7.3.1.
Revision 2 of the patch for JtR 1.7.3.1 adds
support for SAP passwords (by sap friend),
support for NetScreen ScreenOS passwords (by Samuel Mońux),
other contributed improvements,
some generic improvements originally introduced in JtR Pro,
and many bug and portability fixes
(for issues seen with previous revisions of jumbo patches).
Please refer to the
announcement for more detail.
July 18, 2008
John the Ripper 1.7.3.1
(another "development" version) is out.
This is a minor update,
which corrects the x86 assembly files for building on Mac OS X
and adds some generic changes from JtR Pro.
July 16, 2008
There's a
beta version of John the Ripper Pro 1.7.3.1 for Mac OS X
included with every new purchase (and free for everyone who has purchased the
product in the past).
Similarly to JtR Pro for Linux, besides the update to 1.7.3+,
this version adds
official support for Windows NTLM (MD4-based)
and Mac OS X 10.4+ salted SHA-1 hashes,
and it includes
native support for 64-bit capable Intel CPUs on
Mac OS X 10.5+ (Leopard) within the Universal binary,
which makes use of 64-bit mode extended SSE2.
Also included is the brand new XPWDUMP tool, which dumps password hashes
from Mac OS X systems for subsequent auditing/cracking.
As a bonus, the full source code is also provided (it was not provided
with 1.7.2
Pro for Mac OS X, the focus of which was on packaging,
but with so many exciting new features, we're also being generous and we
do share the revised and enhanced source code this time,
including several added source files).
July 13, 2008
John the Ripper Pro 1.7.3 for Linux
is out.
Besides the update to 1.7.3 (and thus including all of the improvements of
that version in a well-tested native package),
new with this release is
official support for Windows NTLM (MD4-based)
and Mac OS X 10.4+ salted SHA-1 hashes.
Also included is a pre-built RPM package for 64-bit capable systems,
which makes use of 64-bit mode extended SSE2.
This is a free upgrade for everyone who has purchased the product in the past.
July 10, 2008
John the Ripper 1.7.3 (a "development" version) is out,
focusing on better x86-64 support.
Most notably, two
Blowfish-based crypt(3)
hashes may now be computed in parallel for much better performance on
x86-64 CPUs, and new make targets have been added for Mac OS X 10.5+ (Leopard)
and recent versions of Solaris on 64-bit capable x86 processors, producing
64-bit builds that make use of the 64-bit mode extended SSE2.
As a bonus, "DumbForce" and "KnownForce" external mode samples have been added
to the default john.conf.
June 7, 2008
The
section on password recovery has been updated
with information on recent
ElcomSoft
product changes.
The most notable changes are as follows:
Enterprise Edition of
Advanced Office Password Breaker
now includes a DVD with pre-computed hash tables ("rainbow tables"),
which enables it to unlock 99.5% of Word documents in less than a minute.
Enterprise Edition of
Advanced PDF Password Recovery
now includes revised pre-computed hash tables on the DVD (improving upon the
"rainbow tables" technique), for 100% success rate at recovering "40-bit" PDF
passwords in a matter of minutes.
Professional Edition of
Advanced EFS Data Recovery
is now able to locate master and private keys in deleted files,
and often also on re-formatted disks and overwritten Windows installs,
scanning the disk sector-by-sector and using patterns to locate the keys.
May 2, 2008
We've just setup the
Openwall community wiki.
The idea is to have a wiki "namespace" for each of our major projects,
maybe resembling the structure of the main Openwall website -
e.g., we have namespaces for Owl and John the Ripper.
Users of our software and Openwall team members can populate those
namespaces with relevant content.
If you have something relevant to share,
please register for a wiki account and edit away!
April 21, 2008
Revision 12 of the jumbo patch for
John the Ripper 1.7.2 is out, adding support for
HMAC-MD5 (by bartavelle),
LMv2 challenge/response
(by JoMo-Kun),
half-of-LM-response (by Dhirendra Singh Kholia),
EPiServer SID hashes (by Johannes Gumbel),
and md5(md5($password) . $salt) as commonly used in PHP applications
(by Albert Veli).
This revision also includes
a much faster implementation of old MySQL hashes
(by Balázs Bucsay and Péter Kasza).
April 12, 2008
Solar Designer of Openwall has participated in an IBM-organized
Global Innovation Outlook (GIO) "deep dive"
on Security and Society (a day long brainstorming session, with only
short coffee breaks and a lunch break).
This dive was held on April 10 (with a welcome dinner the day before)
in a fine 5-star hotel in the heart of Moscow.
Five more dives on the topic are to follow in other cities around the world,
then IBM is to publish a report.
Meanwhile, you can find detailed reports on past GIO topics on the
IBM website section dedicated to the GIO initiative, as well as read and
comment on the
GIO blog (maintained by
Dan Briody).
We have joined the
oCERT project
(the Open Source Computer Emergency Response Team), in two ways:
Solar Designer serves on the advisory board of oCERT (since February),
and Openwall is a registered public member of oCERT such that we can be sure
to receive notification of vulnerabilities pertaining to our software (and,
far more likely, to third-party software that we redistribute as a part of
Openwall GNU/*/Linux) that will be handled via oCERT.
Other Open Source projects are welcome to
register with oCERT, too.
(We're also a member of
oss-security and
vendor-sec, and are registered with the
CERT/CC.)
March 1, 2008
A couple of weeks ago, we have setup the
Open Source Software Security (oss-security) Wiki,
which is the counterpart to the
oss-security mailing list, and we have the initial content in place by now.
Both the wiki and the mailing list are a product of cooperation amongst
various Open Source software vendors, projects, and researchers.
The purpose of the oss-security group is to encourage public discussion
of security flaws, concepts, and practices in the Open Source community.
February 17, 2008
Archives of two Openwall-hosted community mailing lists,
oss-security and xvendor, are now
available on this website.
oss-security
is a new discussion and collaboration mailing list
for people involved with Open Source projects who care about security.
xvendor
is a very low volume list for information exchange between Unix-like OS
distribution vendors (mostly Linux), and it has existed since 2002.
February 13, 2008
A new minor release of
pam_passwdqc - version 1.0.5 - is out.
In this version, the separator characters (used for randomly generated
"passphrases") have been replaced with some of those defined by RFC 3986
as being safe within "userinfo" part of URLs without encoding, the
default minimum length for passphrases has been reduced from 12 to 11
characters, and corrections to the documentation have been made.
February 12, 2008
Alexander Chemeris has contributed a Python module port of
phpass 0.1,
allowing for phpass portable hashes to be checked from Python applications.
The module is linked from the contributed resources list on the
phpass homepage.
News archive (since 2001)