Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20111203115328.GA16318@openwall.com>
Date: Sat, 3 Dec 2011 15:53:28 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: AMD X6 multicore issue

On Sat, Dec 03, 2011 at 01:12:20PM +0200, Caesarmv wrote:
> I'm testing one of my passwords (9 chars only).
> It contains:
> 1) letters (no any existent words used)
> 2) digits
> 3) symbols
> 
> For example: ewf%ll1!1
> 
> So it can't be cracked with words list. I'm interesting to know how much
> time  it needs  to crack it.

You're most likely out of luck cracking it against this hash type
(SHA-512 based crypt(3) with the default number of rounds) on your
machine in a reasonable amount of time (reasonable for you).  So you
appear to have a strong enough password there.  That said, you can make
it even stronger by mixing the different kinds of characters in a less
usual order (starting with letters and only having digits/symbols closer
to the end is a common pattern).  You can also use an easier to remember
passphrase (longer, but optionally with fewer character classes) instead
of your password - and that passphrase could be about as difficult or
even more difficult to crack.

That said, this same password could be reasonably crackable with a
different hash type.  For example, if you use a password like this on a
Windows system and someone gets the password hashes off that system,
they're likely to crack the password easily.

For testing, you do not actually have to run JtR against your actual
hash type.  You may instead use the dummy format, then calculate how
much longer it would have taken to crack the same password under
different real hash types.  Here's your example password ready to be
"cracked" by JtR:

$dummy$657766256c6c312131

I used this Perl script to produce that line:

#!/usr/bin/perl
while (<>) {
	chomp;
	print '$dummy$', unpack('H*', $_), "\n";
}

Like I said before, to crack a password longer than 8 with incremental
mode, you need to increase CHARSET_LENGTH in params.h, re-compile, and
generate a new .chr file.  You'll need some material already in your
john.pot in order to generate a reasonable .chr file.  Here's an example
of how you could do it:

http://www.openwall.com/lists/john-users/2007/07/04/6

With 1.7.9, there's no CHARSET_SCALE anymore and you do not need to
bother adjusting any other parameters.  Simply set CHARSET_LENGTH to 9
or more as desired.

Instead of the all.lst wordlist, you may use the RockYou list, which you
may download from:

http://www.skullsecurity.org/wiki/index.php/Passwords

This will result in a pretty good .chr file.

When you experiment with the dummy format, you will likely want to be
running JtR on many such dummy lines at once - for different kinds of
passwords.  This will give you some results sooner.

Good luck!

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.