Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4977BC29.30708@gmail.com>
Date: Wed, 21 Jan 2009 18:22:01 -0600
From: Steve Bergman <sbergman27@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: keyspace, mask password and dumb bruteforce

Solar Designer wrote:
> The exception is when you're willing to throw a lot of computing
> resources at cracking one publicly known hash, and you cannot or don't
> care to optimize the order in which candidate passwords are tried.
>   
If I may throw in a comment to put this in a perspective that the mind 
can more easily grasp, (since the human mind tends not to deal well with 
extreme scale), the keyspace for a unix password of maximum length 8 is, 
I think, 95^8 + 95^7 + 95^6 + 95^5 + 95^4 + 95^3 + 95^2 + 95^1 + 95^0 = 
6704780954517121, which we can call about 6.7e15. This is a 
mind-bogglingly huge number. Last I looked, seti@...e, which is far and 
away *the* most popular distributed project (no other project on BOINC 
can touch it) had about a half a million cores running their client.  
Assuming that all of these cores are as fast as one core of a Q6600 
(which they aren't), and that  all of them ran full out 24 hours a day 
(which they don't), then if the *entire* power of the seti@...e 
distributed network were focused, with 0% efficiency loss due to 
distribution overhead, upon one md5 hash with one salt, without 
optimizing the password candidate order, they would be guaranteed to 
crack it in about 2 weeks.  On average it would take a week.

I'm no expert. But it seems to me that this is a problem where a little 
finesse is worth more than one *hell* of a lot of brute force.

Perhaps there is more potential in coming up with ideas to even further 
optimize candidate password selection for individual scenarios than 
there is in distributing the processing to more machines.  The 'brute' 
in 'brute force' is there for a reason. ;-)

-Steve

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.