Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20101206100306.GA13367@openwall.com>
Date: Mon, 6 Dec 2010 13:03:06 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: pwgen

Rich, Brad, Minga, all -

On Thu, Dec 02, 2010 at 03:07:28PM -0500, Rich Rumble wrote:
> Just using JtR's incremental mode I've cracked 55 of the 1000 in the last 72hrs
> (2.33Ghz Intel DuoCore)
> guesses: 55  time: 3:00:04:15 (3)  c/s: 7546M  trying: Gkuz6v2o - Gkuz6vb$
> I set my conf to 8 min/max since I knew the length already, these were again
> the passes provided by Brad and converted to NTLM by me.

I assume you were using all.chr supplied with JtR?

I ran my pwgen.chr (generated from 1 million pwgen passwords) against
your output.zip, which in turn was based on Brad's 1000 pwgen passwords
(I trust you on this; I did not verify).  I got over 500 passwords (that
is, over 50%) cracked in less than 2 days:

guesses: 5  time: 0:00:00:01  c/s: 20671M  trying: uo1Eate6 - uo1Eat2u
guesses: 14  time: 0:00:00:06  c/s: 11706M  trying: Aiwuo2ol - Aiwuo2if
guesses: 25  time: 0:00:00:20  c/s: 13386M  trying: Eo8aNei7 - Eo8aNea6
guesses: 35  time: 0:00:00:43  c/s: 13220M  trying: un1Ame9O - un1Amo6y
guesses: 45  time: 0:00:01:00  c/s: 13789M  trying: Ii3ula7o - Ii3ula2U
guesses: 51  time: 0:00:01:15  c/s: 13995M  trying: At0S8ci6 - At0S8c6b
guesses: 57  time: 0:00:01:47  c/s: 13444M  trying: iut3T1c4 - iut3T1C4
guesses: 57  time: 0:00:02:04  c/s: 13345M  trying: os9D9bu1 - os9D9b8E
guesses: 511  time: 1:23:51:03  c/s: 8839M  trying: Ge4SeVsU - Ge4SeVck
guesses: 523  time: 2:05:43:11  c/s: 8700M  trying: qpm9Ms6i - qpm9Ms6t

It's also curious how 5 passwords (0.5% of total) get cracked in 1 second.
45 (4.5% of total) get cracked in 1 minute.

This matches my own results pretty well.  So there's nothing special
about my copy of pwgen and my system.  The attack also works against
passwords pwgen'ed on Brad's system.

Meanwhile, my longer run against 1000 pwgen'ed passwords generated on my
system got all the way to 832 cracked (83.2%):

guesses: 391  time: 0:20:27:48  c/s: 10216M  trying: TeydCgP9 - TeydCgOr
guesses: 471  time: 1:16:24:19  c/s: 9484M  trying: uhtNSTh8 - uhtNSTao
guesses: 552  time: 3:00:48:08  c/s: 8601M  trying: MD6SozoT - MD6SozeY
guesses: 594  time: 3:21:44:05  c/s: 8176M  trying: ExiR1EFx - ExiR1IWw
guesses: 642  time: 5:05:17:10  c/s: 7628M  trying: SX7HeTyO - SX7HeTxt
guesses: 680  time: 6:08:10:30  c/s: 7206M  trying: xeSzpAnA - xeSzpAkx
guesses: 708  time: 7:13:50:30  c/s: 6814M  trying: ea9R4X3Z - ea9R4X8p
guesses: 764  time: 9:18:59:57  c/s: 6195M  trying: qcgAejq3 - qcgAejqG
guesses: 796  time: 11:05:45:41  c/s: 5841M  trying: ef9LOeSN - ef9LOaxN
guesses: 826  time: 13:05:38:12  c/s: 5396M  trying: CmTNhRk1 - CmTNhRkX
guesses: 832  time: 13:11:31:16  c/s: 5349M  trying: ce7r5XIn - ce7r5XIP

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.