Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <efd439a0f8bb5d762086cc8a31b7d33e@smtp.hushmail.com>
Date: Tue, 21 Apr 2015 09:19:05 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Wordlist mode ignoring lines that start with "#!comment"

On 2015-04-21 09:10, Frank Dittrich wrote:
> On 04/19/2015 09:06 PM, Solar Designer wrote:
>> Calling it a vulnerability for that reason is overkill.  Otherwise we'd
>> also have to call John's processing of "#!comment:" in wordlists a
>> vulnerability, because someone may deliberately prefix their password
>> with that string to avoid having it cracked specifically with John.
> 
> Currently, words starting with "#!comment" are ignored, the ':' is not
> required.
> Actually, I thought about it as a "vulnerability" for quite some time,
> but so far I never mentioned my concerns.
> During password cracking contests, there might be someone who tries to
> exploit this.
> May be the strncmp(cp, "#!comment", 9) should only be done at the top of
> the word list, until you find a different word.

Maybe we can get it out of the loop while at it.

> And for jumbo, loopback mode shouldn't skip "#!comment" words, either.

I believe it doesn't. It would skip lines where the *hash* starts with
#!comment, before skipping to the field limiter.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.