Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20111017051612.GA31950@openwall.com>
Date: Mon, 17 Oct 2011 09:16:12 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: filter performances

On Sun, Oct 16, 2011 at 10:55:32PM -0400, Rich Rumble wrote:
> Would generating an "all.chr" for a policy4 be as good as perhaps
> filtering Rockyou/Gawker/Facebook/etc (real world).I guess before
> asking that I should of asked, if using a "policy" chr file would make
> enough difference in time, I can see it doing so at first, but would
> that "advantage" not mean more than 1-2 hours off in the end?

Generating a custom .chr file using the external filter for policy is a
good idea.  The filter would also need to be applied while cracking, but
the percentage of passwords that it rejects early on will be a lot
lower.  In the unlikely event that you let incremental mode run to
completion (without cracking all passwords any sooner), there shouldn't
be any reduction in total run time (but no slowdown either).  However,
obtaining some good speedup early on is highly desirable.

On the topic of password policies in general, I've just created:

http://openwall.info/wiki/john/policy

The tables on that wiki page show just how password policies that
require either at least N character classes or at least N characters of
each class affect the total keyspace for each length.

For example, for printable US-ASCII (95 different characters) and length 8,
requiring at least 3 character classes (out of four: digits, lowercase
letters, uppercase letters, and other characters) reduces the keyspace
by only 5.5% (so it is a reasonable thing to do).  However, requiring at
least 2 characters of each class (which for length 8 implies exactly 2
characters of each class) reduces the keyspace for length 8 by a factor
of 52.9 (which is almost as bad as making passwords one character
shorter) and for length 9 by a factor of 17.6.

There's a lot more data on the wiki page, and I've included my revised
program used to compute those numbers as well.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.