Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <42717.128.173.192.90.1344020256.squirrel@webmail.tuffmail.net>
Date: Fri, 3 Aug 2012 14:57:36 -0400 (EDT)
From: "Brad Tilley" <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Re: any plans to support superlong passwords?

Hi Stephen,

<snip>

> which basically points an average of 8-9 characters (again 1.1 million
could all be greater than 16 characters and I don't know it yet... give
me 2 years and I can give a better estimate).
>
> Looking though at the plain text ones (eg rockyou and the various other
plaintext ones..) 8 is the average size of passwords there. Usually in
the form of the same ones we have been finding for the last 20 years.


I agree. Humans being humans, we don't tend to use long passwords unless
we are forced to do so. All of the studies I've seen and research I've
done point to between 6 to 9 characters as being the average password
length on most systems.

Sure, there are longer passwords (no one disputes that), 'Password123456!'
for example, but 21 to 22 characters as an average? That's simply not a
realistic average anywhere on this planet. Perhaps it is for high-security
military systems and as we've all seen it certainly is for contrived
passwords in the KL contest, but not for a real passwords on real sites
intended to be consumed by the masses. It just isn't so.

I assume KL devised such an unrealistic average length as an attempt to
hinder the GPU teams and rainbow table attacks. It didn’t seem to work.

Brad

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.