Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <89d8762a3f7751687232574ef55b262b@smtp.hushmail.com>
Date: Mon, 01 Jun 2015 00:44:28 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Bleeding jumbo now defaults to UTF-8

On 2015-05-31 16:09, Marek Wrzosek wrote:
> Let's summarize what have changed. Before defaulting to UTF-8 in
> john.pot were plain-texts and there was possible to use many encodings
> in one wordlist. Moreover plain-texts were known, but information about
> human-readable form of passwords was gone. After change john can use
> only single-encoding wordlists, stores human-readable passwords in
> john.pot, but plain-texts are gone and one will need to repeat cracking
> passwords using many different target encodings. Just defaulting to
> UTF-8 have solved some issues but have created new ones.

True. How often is the new defaults a problem IRL though? If you audit a 
system it will likely have just one encoding and you should have a good 
idea which is is.

> Maybe there should be some smart "auto" target encoding, that will check
> password candidates (in UTF-8 only) if there are any two-byte codes and
> if all are from the same alphabet (e.g. Cyrillic) then this password
> would be checked using all possible encoding for those characters (e.g.
> KOI8-R, CP1251 and of course UTF-8). Any other situations (all ASCII or
> many different alphabets in one password) and UTF-8 will be assumed.
> This additional target encoding would be turned-on on demand because
> there will be some performance issues.

Unfortunately this can't be implemented in JtR without intrusive 
changes. Also, this problem is almost gone already - most everything is 
Unicode nowadays. I can't see much RoI here.

> If for cracking password was used other encoding than UTF-8 (if
> --target-encoding was used) than john will save this information in some
> additional pot file (for backward compatibility reasons) using e.g.
> plain-text or name of encoding. Information about encoding would be
> displayed when -show option was in use.
> It's just a thought. Maybe someone here will have a better idea for
> solving those issues.

I considered similar ideas long ago but again I'm not sure it's worth 
the effort. But if we ever revise the pot format for other reasons, we 
should add a field with hex representation of the native password.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.