Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAPKcp6bscw2uO3G-0GuW6HsZC2cg5bZ0sOZWkagC3dmW-wfZtA@mail.gmail.com>
Date: Tue, 21 Aug 2012 16:53:50 -0700
From: Francois Pesce <fpesce@...lys.com>
To: john-users@...ts.openwall.com
Subject: Re: Arstechnica Password article (feat. Matt Weir)

Hi,

I've got several critics:
_ The way they're presenting the wordlist+rules under a pretty name like
that "hybrid attack". It looks like a new thing, which it's definitely not.
Rules+dictionary! Come on! Even the Morris Worm had a bruteforce dictionary
attack which used to lowercase/capitalized words from user account details.
No silver bullet here.

_ It emphasized the Rockyou dictionary, which is interesting, but not
enough on the pass phrases cracking. CDDB/Wikipedia titles/Facebook
names/gutenberg project/LinkedIn names (You can download their whole base
w/ a simple wget script) are now strong sources of pass phrase cracking,
and I mean, actual pass phrases of more than 2 words. What about Markov?
These new techniques deserve attention as well, because they lead to the
conclusion that any non-random password can possibly be cracked.

_ From a vulgarization point of view,  the password length graphic which is
reproduced at the end of the article is very dubious because it lets the
users think that they'll be secured by choosing any password very long,
which they are not able to humanly generate without it to be easily
cracked: music title, book phrase, repetition of words, logical
enumeration, etc.

Still, I find that most of the article is good.

My 2 cents,

Francois

On Tue, Aug 21, 2012 at 4:04 PM, Matt Weir <cweir@...edu> wrote:

> > There are some minor inaccuracies.
>
> Hey Solar, I'd be very interested to hear what you felt was wrong. Dan
> really impressed me with his dedication to try and get everything
> right. A good example of that was his research into the origin of the
> term "Rainbow tables" where not only did he read the original Oechslin
> papers but he contacted a bunch of people and posted on Twitter as
> well. Even with all that research since he wasn't able to find an
> authoritative source he wrote: "Rainbow tables are believed to get
> their name....".
>
> I guess more to the point, he had several people including me review a
> pre-release copy so some of those mistakes may be mine as well ;p
>
> As far as JtR not being mentioned, I think that's more of a PR issue
> we have. When people talk about password cracking to the general
> public they tend to focus on Rainbow tables, GPUs, and the cloud. We
> can debate how much impact all those things have, but the simple fact
> is that's what people find interesting. While JtR has GPU support,
> Hashcat won the CMIYC competition so they deserve the recognition they
> get when it comes to mentioning a GPU cracker. If we can get better
> GPU cracking performance than Hashcat people will mention JtR instead
> ;p
>
> Matt
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.