Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20050815060703.GB14618@openwall.com>
Date: Mon, 15 Aug 2005 10:07:03 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: policy enforcement (was: source)

Hi,

My apologies for leaving this without a response for so long.  Actually,
it would have been nice if other list subscribers took care of that. ;-)

On Thu, Jul 28, 2005 at 08:37:25AM +0000, ikbea wrote:
> I would like to have the source of "John the Ripper", where can I download ?

At the homepage:

	http://www.openwall.com/john/

Now, to the more reasonable question, which actually makes this worth a
response:

> Moreover, I would like to force password to obey rules:
> 1. password length should be more than 8
> 2. password should have at least two characters and two uppercases letters
> How to configure John the Ripper, so it can detect the password that are not 
> obey the rules ?

[ I am assuming that the word "characters" refers to "non-letters and
non-digits". ]

While John the Ripper is a tool to detect weak passwords, you can't
reasonably make it check for passwords which would violate a policy such
as the above.

In order to detect _all_ passwords which happen to violate the policy
given above, John (or any other program) would have to search too large
a keyspace.  That would be all strings of up to 8 characters long, and
in addition to that all strings (of any "reasonable" length) that don't
contain uppercase letters or don't contain non-letters/digits or contain
exactly one uppercase letter or contain exactly one non-letter/digit.
Now, let's assume that our full character set consists of the 95 printable
US-ASCII characters.  There're 26 lowercase and 26 uppercase letters,
10 digits, and 33 other characters.

For the sake of simplicity, let's count the number of possible 9
character long passwords that don't contain any uppercase letters:

(95 - 26) ** 9 = 35452087835576229

(I am using the Fortran notation for power to disambiguate with C's
meaning of the caret character.)

The total number of possible passwords all of which would be disallowed
under the above policy is way higher than that.

Now, let's assume John can try one million of candidate passwords per
second (which is quite optimistic and ignores the likely presence of
salts).  At such a rate, it would take John over 400,000 years to try
just the 9-character no-uppercase passwords.

But this does not mean that John the Ripper is unable to crack such
passwords.  It may crack those which are weak, -- that is, those which
fall into the more commonly used parts of the keyspace (word-based,
with mostly common characters or character combinations, etc.)

We can make two conclusions, both of which are valid:

1. John the Ripper, or password crackers in general, are not suitable
for _strict_ enforcement of password policies that are simple to express
in plain English.  (Exception: this may be done for Windows NT LM hashes
due to their small keyspace.  The same would apply to some other
extremely poorly designed password hashing methods.)

Rather, John the Ripper will detect passwords which _actually_ are weak
(that is, those which are likely to be easily cracked in an actual
attack), whether or not they satisfy a policy.

In order to _strictly_ enforce a typical policy, other tools should be
used.  pam_passwdqc is one such tool:

	http://www.openwall.com/passwdqc/

If a reasonable policy is specified (or pam_passwdqc's defaults are used
with no changes), this will also ensure that over 99% of permitted
passwords are not easily crackable with John the Ripper and other tools.

2. The proposed policy is unreasonable.  It rejects too large a fraction
of the keyspace, while at the same time permitting passwords that don't
contain a single lowercase letter or digit (that is, that consist
exclusively of uppercase letters and non-letters/digits).  While those
permitted passwords aren't exactly common or weak, they are not as
strong as many of the passwords _rejected_ by the policy.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.