Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <DB6PR0201MB23418937BA247A6967DF6AC2C9E70@DB6PR0201MB2341.eurprd02.prod.outlook.com>
Date: Wed, 17 May 2017 21:13:58 +0000
From: Will Hunt <will.hunt@...e.co.uk>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Max Password Lengths

Thanks very much for your help clarifying.


________________________________
From: magnum <john.magnum@...hmail.com>
Sent: 17 May 2017 21:11
To: john-users@...ts.openwall.com
Subject: Re: [john-users] Max Password Lengths

On 2017-05-17 15:38, Will Hunt wrote:
> After following your recent discussion with Rob re maximum password lengths, is there any easy way to determine the maximum character length of all supported algorithms?
>
> I noted that using --enc:raw shows 27 for NT instead of 81, but I haven't been able to find any resources online that quickly show which algorithms are unicode based and which aren't
Latest jumbo (from github) will display length as "characters" as
opposed to bytes. Examples:

$ ../run/john --list=format-all-details --format=nt
Format label                         NT
  Disabled in configuration file      no
Min. password length                 0
Max. password length                 27
Min. keys per crypt                  12
Max. keys per crypt                  12
Flags
  Case sensitive                      yes
  Truncates at (our) max. length      no
  Supports 8-bit characters           yes
  Converts internally to UTF-16/UCS-2 yes
  Honours --encoding=NAME             yes
  Collisions possible (as in likely)  no
  Uses a bitslice implementation      no
  The split() method unifies case     yes
  Supports very long hashes           no
  A $dynamic$ format                  no
  A dynamic sized salt                no
  Parallelized with OpenMP            no
Number of test vectors               43
Algorithm name                       MD4 128/128 AVX 4x3
Format name
Benchmark comment
Benchmark length                     -1
Binary size                          16
Salt size                            0
Tunable cost parameters
Example ciphertext                   b7e4b9022cd45f275334bbdb83bb5be5

$ ../run/john --list=format-all-details --format=office
Format label                         Office
  Disabled in configuration file      no
Min. password length                 0
Max. password length                 41 [worst case UTF-8] to 125 [ASCII]
Min. keys per crypt                  32
Max. keys per crypt                  128
Flags
  Case sensitive                      yes
  Truncates at (our) max. length      no
  Supports 8-bit characters           yes
  Converts internally to UTF-16/UCS-2 yes
  Honours --encoding=NAME             yes
  Collisions possible (as in likely)  no
  Uses a bitslice implementation      no
  The split() method unifies case     no
  Supports very long hashes           no
  A $dynamic$ format                  no
  A dynamic sized salt                no
  Parallelized with OpenMP            yes
   Poor OpenMP scalability            no
Number of test vectors               19
Algorithm name                       SHA1 128/128 AVX 4x / SHA512
128/128 AVX 2x AES
Format name                          2007/2010/2013
Benchmark comment
Benchmark length                     -1
Binary size                          16
Salt size                            84
Tunable cost parameters              MS Office version, iteration count
Example ciphertext
$office$*2007*20*128*16*8b2c9e8c878844fc842012273be4bea8*aa862168b80d8c45c852696a8bb499eb*a413507fabe2d87606595f987f679ff4b5b4c2cd

In the latter case, we see that worst-case UTF-8 will push down the max
length.


> I don't know which ones require a calculation from the displayed value. Or failing that, is there a switch that allows john show the actual character length limits of all algorithms?

You can see it in the "Converts internally to UTF-16/UCS-2" lines above.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.