Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20191113154010.GA6379@openwall.com>
Date: Wed, 13 Nov 2019 16:40:11 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: skip or try passwords with repeated characters

Hi,

I've just written the following two external modes, which I think others
might find useful as well.  We'll likely add them to default john.conf.

--external=Filter_NoRepeats can be used to skip candidate passwords that
contain the same character more than once.  --external=Filter_Repeats is
the opposite, and can be used e.g. to search the remainder of the
initial set of passwords after a run with --external=Filter_NoRepeats.

My immediate use case is for trying to recover a presumably
random-looking yet user-chosen password.  I split the initial candidate
password list in two: first those without repeats, and then the rest.
In my case, the first sub-list ended up being 15+ times smaller than the
second one, although this varies (primarily) by the character set size.
There are not a lot of different characters in total in my case, which
is why seeing a character used more than once in a password is so common
in the full list of candidate passwords.

My guess is this will improve average time until success if people tend
to avoid using a character more than once when asked to produce a string
of random characters.  (Someone might want to test this hypothesis.)

[List.External:Filter_NoRepeats]
int seen[0x100], now;

void init()
{
	now = 0;
}

void filter()
{
	int i, c;

	if (!now--) {
		i = 0;
		while (i < 0x100)
			seen[i++] = 0;
		now = 1000000000;
	}

	i = 0;
	while (c = word[i++]) {
		if (seen[c] == now) {
			word = 0; return;
		}
		seen[c] = now;
	}
}

[List.External:Filter_Repeats]
int seen[0x100], now;

void init()
{
	now = 0;
}

void filter()
{
	int i, c;

	if (!now--) {
		i = 0;
		while (i < 0x100)
			seen[i++] = 0;
		now = 1000000000;
	}

	i = 0;
	while (c = word[i++]) {
		if (seen[c] == now)
			return;
		seen[c] = now;
	}

	word = 0;
}

On a related note, we might want to add a way to invert the filter from
the command-line, which would eliminate the need for defining both
modes.  Alternatively, we can share most code of the two modes above by
including a common section into them, like we do for some other external
modes already.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.