Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20101207050904.GA16884@openwall.com>
Date: Tue, 7 Dec 2010 08:09:04 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: pwgen

Rich,

On Mon, Dec 06, 2010 at 10:31:02PM -0500, Rich Rumble wrote:
> I'm wondering if the windows version might offer more entropy than it's
> CLI cousin?

Actually, the Windows program you found:

http://pwgen-win.sourceforge.net

appears to have almost nothing in common (except for the purpose and a
portion of the name) with the Unix program we were talking about:

http://pwgen.sourceforge.net

The current version numbers look similar, but this appears to be a mere
coincidence.

There are a few other things called "pwgen" as well.

As to entropy, the problem of pwgen by Theodore Ts'o was not a lack of
entropy in its input randomness, but rather issues in the way the input
entropy was being encoded, turning uniformly distributed random numbers
read from /dev/urandom into a non-uniform distribution of passwords.

> I've generated a few lists, hashed and then
> cracked them all into a john.pot file.

That's fine, but you could simply create a fake john.pot by prefixing
every password with a colon:

sed 's/^/:/' < generated-passwords.lst > john.pot

> Then generated the chr files. These
> lists did not use Brad's list these were all unique passes I used pwgen to
> generate.
> I then used -i=pwgen (my custom mode in my conf) and
> running for 6hrs so far no cracks on the output.txt file. (new john.pot as
> well).

Perhaps pwgen-win does not have the problem.  Perhaps it simply does not
try to make those passwords "pronounceable", which Ted's pwgen does by
default.  The "-s" option to Ted's pwgen similarly defeats the attack.

       -s, --secure
              Generate completely random, hard-to-memorize  passwords.   These
              should  only be used for machine passwords, since otherwise it's
              almost guaranteed that users will simply write the password on a
              piece of paper taped to the monitor...

Alexander

P.S. You managed to post your message to a new thread, even though you
reused the Subject.  If you want to post to an existing thread, you need
to use your mail program's "reply" feature on an existing message in the
thread.  (Similarly, whenever you actually do want to start a new
thread, you need to send your message to the posting address anew, not
as a "reply" to anything.)  Thanks!

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.