Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net

Openwall Project
bringing security into open environments

Software you can find here:

These (and a few other) packages are also available via FTP from ftp.openwall.com and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download.

The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file.

We publish security advisories, do presentations, offer a number of services, and accept donations.

We also maintain a wordlists collection for use with password crackers such as John the Ripper and with password recovery utilities, and a collection of pointers to password recovery resources on the Net.

Finally, we host community resources such as mailing lists and wiki for users of Openwall software and for other Open Source and computer security folks.

If you would like to be notified of updates to this website and the packages hosted here, you can subscribe to the announcement mailing list by sending an empty message to <announce-subscribe at lists.openwall.com> or entering your e-mail address below. You will be required to confirm your subscription by "replying" to the automated confirmation request that will be sent to you. You will be able to unsubscribe at any time and we will not use your e-mail address for any other purposes or share it with a third party. The list traffic is very low (1-2 messages a month). You may review past announcements here.

Your e-mail address:

June 5, 2009
We've just setup a web page with some Owl-current live CD screenshots.

May 27, 2009
There are new ISO-9660 images of Owl-current for x86 and x86-64 available for download from our FTP mirrors. A lot of packages have been significantly updated and some new ones have been added since the last ISO snapshot mentioned in a news item. The Linux kernel has been updated to 2.4.37.1-ow1.

May 24, 2009
Linux 2.4.37.1-ow1 is out. Linux 2.4.37.1, compared to 2.4.35-ow2, adds numerous security-relevant fixes to various kernel subsystems.

April 29, 2009
A standalone program to call the password complexity checking functions of pam_passwdqc (e.g., from a script) has been contributed by Wolfram Wagner and added to the contributed resources list on the pam_passwdqc homepage.

April 8, 2009
Version 1.0.3 of our tcb suite implementing the alternative password shadowing scheme has been released. The changes since tcb 1.0 are limited to minor bug and reliability fixes.

On a related note, tcb has been integrated into Mandriva Linux 2009, whereas pam_passwdqc has been integrated into DragonFly BSD 2.2+. This is in addition to many OS distributions that had integrated these pieces of software before.

March 27, 2009
The collection of PWDUMP tools has been updated. These tools can be used to obtain password hashes from Windows systems for password security auditing or password recovery. PDFCrack, a free and Open Source command-line tool, has been added to the web page on PDF password crackers.

March 18, 2009
We have just published "IPv6: What, Why, How", a presentation by Jen Linkova aka Furry.

September 16, 2008
As announced on john-users, the jumbo patch for John the Ripper 1.7.3.1 has been further updated, up to revision 4 now. This new revision adds support for HTTP Digest Access Authentication (by Romain Raboin), support for OpenLDAP SSHA password hashes (by bartavelle), and "Markov" cracking mode (also by bartavelle). It also corrects a couple of problems with revision 2 of the patch, which have been reported via the john-users mailing list.

August 25, 2008
As announced on john-users, the jumbo patch has been updated to John the Ripper version 1.7.3.1. Revision 2 of the patch for JtR 1.7.3.1 adds support for SAP passwords (by sap friend), support for NetScreen ScreenOS passwords (by Samuel Mońux), other contributed improvements, some generic improvements originally introduced in JtR Pro, and many bug and portability fixes (for issues seen with previous revisions of jumbo patches). Please refer to the announcement for more detail.

July 18, 2008
John the Ripper 1.7.3.1 (another "development" version) is out. This is a minor update, which corrects the x86 assembly files for building on Mac OS X and adds some generic changes from JtR Pro.

July 16, 2008
There's a beta version of John the Ripper Pro 1.7.3.1 for Mac OS X included with every new purchase (and free for everyone who has purchased the product in the past). Similarly to JtR Pro for Linux, besides the update to 1.7.3+, this version adds official support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes, and it includes native support for 64-bit capable Intel CPUs on Mac OS X 10.5+ (Leopard) within the Universal binary, which makes use of 64-bit mode extended SSE2. Also included is the brand new XPWDUMP tool, which dumps password hashes from Mac OS X systems for subsequent auditing/cracking. As a bonus, the full source code is also provided (it was not provided with 1.7.2 Pro for Mac OS X, the focus of which was on packaging, but with so many exciting new features, we're also being generous and we do share the revised and enhanced source code this time, including several added source files).

July 13, 2008
John the Ripper Pro 1.7.3 for Linux is out. Besides the update to 1.7.3 (and thus including all of the improvements of that version in a well-tested native package), new with this release is official support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes. Also included is a pre-built RPM package for 64-bit capable systems, which makes use of 64-bit mode extended SSE2. This is a free upgrade for everyone who has purchased the product in the past.

July 10, 2008
John the Ripper 1.7.3 (a "development" version) is out, focusing on better x86-64 support. Most notably, two Blowfish-based crypt(3) hashes may now be computed in parallel for much better performance on x86-64 CPUs, and new make targets have been added for Mac OS X 10.5+ (Leopard) and recent versions of Solaris on 64-bit capable x86 processors, producing 64-bit builds that make use of the 64-bit mode extended SSE2. As a bonus, "DumbForce" and "KnownForce" external mode samples have been added to the default john.conf.

June 8, 2008
A patched version of mod_auth_mysql with support for phpass portable hashes has been added to the contributed resources list on the phpass homepage. This was indirectly contributed by Nikolay.

June 7, 2008
The section on password recovery has been updated with information on recent ElcomSoft product changes. The most notable changes are as follows:

Enterprise Edition of Advanced Office Password Breaker now includes a DVD with pre-computed hash tables ("rainbow tables"), which enables it to unlock 99.5% of Word documents in less than a minute. Enterprise Edition of Advanced PDF Password Recovery now includes revised pre-computed hash tables on the DVD (improving upon the "rainbow tables" technique), for 100% success rate at recovering "40-bit" PDF passwords in a matter of minutes. Professional Edition of Advanced EFS Data Recovery is now able to locate master and private keys in deleted files, and often also on re-formatted disks and overwritten Windows installs, scanning the disk sector-by-sector and using patterns to locate the keys.

May 2, 2008
We've just setup the Openwall community wiki. The idea is to have a wiki "namespace" for each of our major projects, maybe resembling the structure of the main Openwall website - e.g., we have namespaces for Owl and John the Ripper. Users of our software and Openwall team members can populate those namespaces with relevant content. If you have something relevant to share, please register for a wiki account and edit away!

April 21, 2008
Revision 12 of the jumbo patch for John the Ripper 1.7.2 is out, adding support for HMAC-MD5 (by bartavelle), LMv2 challenge/response (by JoMo-Kun), half-of-LM-response (by Dhirendra Singh Kholia), EPiServer SID hashes (by Johannes Gumbel), and md5(md5($password) . $salt) as commonly used in PHP applications (by Albert Veli). This revision also includes a much faster implementation of old MySQL hashes (by Balázs Bucsay and Péter Kasza).

April 17, 2008
We've setup a new web page on Openwall user communities, hosted community resources, and community involvement and activities (as well as a sub-page on the xvendor mailing list).

April 12, 2008
Solar Designer of Openwall has participated in an IBM-organized Global Innovation Outlook (GIO) "deep dive" on Security and Society (a day long brainstorming session, with only short coffee breaks and a lunch break). This dive was held on April 10 (with a welcome dinner the day before) in a fine 5-star hotel in the heart of Moscow. Five more dives on the topic are to follow in other cities around the world, then IBM is to publish a report. Meanwhile, you can find detailed reports on past GIO topics on the IBM website section dedicated to the GIO initiative, as well as read and comment on the GIO blog (maintained by Dan Briody).

We have joined the oCERT project (the Open Source Computer Emergency Response Team), in two ways: Solar Designer serves on the advisory board of oCERT (since February), and Openwall is a registered public member of oCERT such that we can be sure to receive notification of vulnerabilities pertaining to our software (and, far more likely, to third-party software that we redistribute as a part of Openwall GNU/*/Linux) that will be handled via oCERT. Other Open Source projects are welcome to register with oCERT, too. (We're also a member of oss-security and vendor-sec, and are registered with the CERT/CC.)

April 3, 2008
A cut-down and reworked version of our PHP password hashing framework (phpass) has been integrated into development versions of Drupal leading to the upcoming Drupal 7 release. There's also a module for Drupal 5 & 6 that makes the original phpass available with those versions of Drupal. More information is available on the phpass homepage.

March 1, 2008
A couple of weeks ago, we have setup the Open Source Software Security (oss-security) Wiki, which is the counterpart to the oss-security mailing list, and we have the initial content in place by now. Both the wiki and the mailing list are a product of cooperation amongst various Open Source software vendors, projects, and researchers. The purpose of the oss-security group is to encourage public discussion of security flaws, concepts, and practices in the Open Source community.

February 17, 2008
Archives of two Openwall-hosted community mailing lists, oss-security and xvendor, are now available on this website.
oss-security is a new discussion and collaboration mailing list for people involved with Open Source projects who care about security. xvendor is a very low volume list for information exchange between Unix-like OS distribution vendors (mostly Linux), and it has existed since 2002.

February 13, 2008
A new minor release of pam_passwdqc - version 1.0.5 - is out. In this version, the separator characters (used for randomly generated "passphrases") have been replaced with some of those defined by RFC 3986 as being safe within "userinfo" part of URLs without encoding, the default minimum length for passphrases has been reduced from 12 to 11 characters, and corrections to the documentation have been made.

February 12, 2008
Alexander Chemeris has contributed a Python module port of phpass 0.1, allowing for phpass portable hashes to be checked from Python applications. The module is linked from the contributed resources list on the phpass homepage.

News archive (since 2001)

Quick Comment:

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux

2171511