Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Dec 2010 00:45:44 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: pwgen in JavaScript

On Tue, Dec 07, 2010 at 09:18:19AM +0300, Solar Designer wrote:
> ... "JavaScript port of pwgen" (of Ted's pwgen for Unix):
> 
> http://8-p.info/pwgen/
[...]
> $ ./john -i=pwgen-js -se=pwgen-js -fo=nt 1k-8-nt
> Loaded 909 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16])
> Warning: only 60 characters available
> 
> guesses: 22  time: 0:00:00:05  c/s: 9086M  trying: Ouq9s1f1 - Ouq9s1ie
> guesses: 45  time: 0:00:00:12  c/s: 11528M  trying: Iu4a9p3i - Iu4a9p2i
> guesses: 102  time: 0:00:01:00  c/s: 12779M  trying: iLi4jebi - iLi4j0lu
> guesses: 148  time: 0:00:03:00  c/s: 11026M  trying: Ugc7yo3e - Ugc7yoj9
> guesses: 193  time: 0:00:05:58  c/s: 11133M  trying: Py2ige1n - Py2igen6
> guesses: 220  time: 0:00:08:34  c/s: 11324M  trying: Pgsu9h2h - Pgsu9h8f
> guesses: 320  time: 0:00:40:37  c/s: 9891M  trying: aTt5xp8x - aTt5xtty

If anyone is curious, here's how this attack progressed further:

guesses: 648  time: 0:18:24:44  c/s: 6137M  trying: FGqcw1k7 - FGqcw1me
guesses: 730  time: 2:03:38:37  c/s: 4574M  trying: kBnqOoMi - kBnqOoM3
guesses: 791  time: 5:06:51:33  c/s: 3423M  trying: BdyE7Pur - BdyE7Pg0
guesses: 800  time: 6:04:30:02  c/s: 3215M

(The last line lacks "trying" because I obtained it with "john --status"
after interrupting the main John session.)

> 2.2% (2.4% of 909) cracked in 5 seconds
> 10% (11%) cracked in 1 minute
> 22% (24%) cracked in 8.5 minutes
> 32% (35%) cracked in 40 minutes

65% (71%) cracked in 18.5 hours
73% (80%) cracked in 2 days
80% (88%) cracked in 6 days

> This is mostly _without_ exploiting the problems with Math.random()
> yet.  It'd take custom code to exploit those, but then I'd expect all
> passwords to fall within seconds.  "[List.External:Strip]" in the
> default john.conf implements this sort of attack for another naive
> password generator.

For those who want more context, my original posting is here:

http://www.openwall.com/lists/john-users/2010/12/07/4

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.