Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1578772146.290476.1535976414870@mail.yahoo.com>
Date: Mon, 3 Sep 2018 12:06:54 +0000 (UTC)
From: NeonFlash <psykosonik_frequenz@...oo.com>
To: john-users@...ts.openwall.com
Subject: Re: Cracking Long Passwords

Thanks Alexander as always for the detailed response.
I'll try to join the mailing list using email from another email service provider.
Quick question regarding the password length restrictions in JtR. Is it possible to alter them? If so, do I need to modify some config file or source code and then recompile it?
As you mentioned, these are limitations of JtR while the target file format supports longer passwords.
   On Friday, August 31, 2018, 6:06:59 PM GMT+1, Solar Designer <solar@...nwall.com> wrote:  
 
 Hi,

On Fri, Aug 31, 2018 at 03:43:07PM +0000, NeonFlash wrote:
> Is there a way to know the restriction on password length for dictionary attacks supported by JtR?
> For example, if an archive (zip/rar) file has a password of length greater than 50, can JtR successfully crack it in dictionary attack mode if the correct password is present inside the dictionary?

You can use these commands:

./john --list=format-all-details --format=rar
./john --list=format-all-details --format=rar5
./john --list=format-all-details --format=pkzip
./john --list=format-all-details --format=zip

In my recent build of bleeding-jumbo, the output for RAR (which means
RAR3) includes:

Max. password length                26

for RAR5:

Max. password length                10 [worst case UTF-8] to 32 [ASCII]

for PKZIP:

Max. password length                10 [worst case UTF-8] to 31 [ASCII]

and for ZIP (which means WinZip):

Max. password length                41 [worst case UTF-8] to 125 [ASCII]

So length 50 in particular will likely work for ZIP aka WinZip, but not
for the rest of these.

For all of these we also get:

 Truncates at max. length            no

which means that unfortunately the limitation is ours rather than
inherent to the target file format.

Alexander

P.S. You could want to avoid posting to mailing lists from Yahoo
addresses since your messages probably do not get through to some
subscribers (such as those on Google's mail servers, including everyone
on Gmail and more) due to Yahoo's strict DMARC policy:

$ host -t txt _dmarc.yahoo.com
_dmarc.yahoo.com descriptive text "v=DMARC1\; p=reject\; pct=100\; rua=mailto:dmarc_y_rua@...oo.com\;"
  

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.