Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20101128040043.GA9964@openwall.com>
Date: Sun, 28 Nov 2010 07:00:43 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: pwgen

Minga, all -

On Tue, Nov 23, 2010 at 02:20:25AM +0300, Solar Designer wrote:
> Minga - please "document" how random-1000-from-pwgen.txt was generated.

Any comments?  I am curious, and I actually need to know this before I
possibly inform more people that pwgen passwords are much weaker than
they look.

Can anyone else generate 1000 pwgen passwords and post them in here,
along with info on how it was done (pwgen version, OS, commands run)?

> Meanwhile, my John runs are up to 195 (out of 1000) passwords in 1 hour.

They're still running, and both are still the same (in terms of the
number of passwords cracked out of their different 1000-password files).
Here are some arbitrary points (these are whenever I happened to press a
key in the terminal):

guesses: 391  time: 0:20:27:48  c/s: 10216M  trying: TeydCgP9 - TeydCgOr
guesses: 471  time: 1:16:24:19  c/s: 9484M  trying: uhtNSTh8 - uhtNSTao
guesses: 552  time: 3:00:48:08  c/s: 8601M  trying: MD6SozoT - MD6SozeY
guesses: 594  time: 3:21:44:05  c/s: 8176M  trying: ExiR1EFx - ExiR1IWw
guesses: 642  time: 5:05:17:10  c/s: 7628M  trying: SX7HeTyO - SX7HeTxt

The effective c/s rate is decreasing because the number of hashes left
to crack is decreasing, so fewer combinations of {hash, password} are
tested per hash computed.

The average speed appears to be around 15M candidates per second.  At
this speed, exhaustive search of the 62-character length 8 space would
take about 168 days.  Thus, 5 days correspond to about 3% of the time
needed to exhaustively search this keyspace, yet we have cracked 64% of
passwords.  Some of the prior results are even more interesting:

Time running (D:HH:MM) - Keyspace searched - Passwords cracked
0:00:02 - 0.0008% - 6.0%
0:01:00 - 0.025% - 19.5%
0:20:28 - 0.5% - 39.1%
1:16:24 - 1.0% - 47.1%
3:00:48 - 1.8% - 55.2%
3:21:44 - 2.3% - 59.4%
5:05:17 - 3.1% - 64.2%

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.