Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <e763de53e835724dd994138abe5a5263@smtp.hushmail.com>
Date: Thu, 23 Aug 2012 18:50:21 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: How should one select PLAINTEXT_LENGTH in a format

On 2012-08-23 18:14, Lukas Odzioba wrote:
> 2012/8/23 Claudio André <claudioandre.br@...il.com>:
>> How do i choose a number to use as the maximum length of a plaintext
>> password. 16, 24, 32, ...?
>>
>> Do you guys have a rule? Or, at least, advices?
> 
> Technically it should be as big as you can make. However some formats
> have specific optimizations for shorter passwords. I use something
> like that (not always - mea culpa)
> 
> - If you can handle looooooooong passwords, without speed drop for
> shorter ones do it
> - Today we should support at least 15chars, considering last crack me
> if you can contest it is good to have 20+
> - On gpu's 15,31 usually works good because reads are nicely aligned
> if you add one more byte to store lenght.
> - It is good to have tests up to supported length.
> - When you choose something it is good to make sure that your code can
> really handle it - you can  try add some tests to TS.

I agree with everything, just want to add a couple of things: The max
length that can currently be supported in JtR is 125 due to core
limitations. And more important, sometimes there is an algorithm block
size that gives a natural limit: For SHA-1, MD4 and MD5, the block size
is 64 and passwords longer than 55 bytes need more than one call to the
function. For SHA-2 I believe it's more than 125 so it's no issue. For
Unicode/UCS-2 formats (NT) that size is obviously halfed, and that's
exactly why NT (which is just a raw MD4 of password encoded in UCS-2)
has a max length of 27.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.