Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <25eb50f11632640c295add4b64089a31@smtp.hushmail.com>
Date: Mon, 01 Jun 2015 03:08:27 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Bleeding jumbo now defaults to UTF-8

On 2015-06-01 01:34, Marek Wrzosek wrote:
> W dniu 01.06.2015 o 00:44, magnum pisze:
>> On 2015-05-31 16:09, Marek Wrzosek wrote:
>>> Let's summarize what have changed. Before defaulting to UTF-8 in
>>> john.pot were plain-texts and there was possible to use many encodings
>>> in one wordlist. Moreover plain-texts were known, but information about
>>> human-readable form of passwords was gone. After change john can use
>>> only single-encoding wordlists, stores human-readable passwords in
>>> john.pot, but plain-texts are gone and one will need to repeat cracking
>>> passwords using many different target encodings. Just defaulting to
>>> UTF-8 have solved some issues but have created new ones.
>>
>> True. How often is the new defaults a problem IRL though? If you audit a
>> system it will likely have just one encoding and you should have a good
>> idea which is is.
>>
>> magnum
>>
> Can you guarantee that on some audited system that runs an Internet
> service that is used by people from all over the world and they were
> using different operating systems, they speak different languages and
> still all passwords have just one encoding? It could be true today. But
> was it true in the past?

We're talking about defaults and common cases. For uncommon cases, you'd 
use non-defaults. Makes sense, doesn't it? It has been the other way 
round until now, and it did not make sense.

> For systems with mixed encodings old jumbo would crack all encodings
> using e.g. all.lst on one run. New jumbo will need several runs and all
> e.g. ASCII-only passwords will be repeated.

Only if you insist on the idea of a single gigantic universal wordlist. 
No matter how you use that beast, you'll end up suboptimal (but easy to 
use).

Hey, no functionality was removed. Just reset john.conf to the legacy 
settings and temporarily use that. Do so with a separate pot file (using 
the -pot option) so you don't ruin the all-utf8 pot file.

I'd do it differently though.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.