Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20191210185753.GA21093@openwall.com>
Date: Tue, 10 Dec 2019 19:57:53 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Finding Password to Spareseimage

On Tue, Dec 10, 2019 at 08:22:03PM +0200, Greg Burne wrote:
> The exact special characters used are known, and the exact uppercase and lowercase letters used are known including their position in the password, it is just the length that would really vary, and based on the length would determine the number of special characters used, but the actual password potion I would be able to hit bang on.

Well, based on this description you can try something like this:

./john --mask='knownUl[.!?]' --max-length=16 file.txt

which would try these candidates:

knownUl.
knownUl!
knownUl?
knownUl..
knownUl!.
knownUl?.
knownUl.!
knownUl!!
knownUl?!
knownUl.?

and so on.  You can use the square braces in multiple places in the
mask, but only the last portion of the mask may be have its length
stretched automatically.  You can also use placeholders, like this:

./john -2='SOMEUPPERS' -3='somelowers' -4='.!??' --mask='known?4?2?2?3?3?4' --max-length=16 file.txt

which produces:

known.SSss.
known!SSss.
known?SSss.
known.OSss.
known!OSss.
known?OSss.
known.MSss.
known!MSss.
known?MSss.
known.ESss.

... and will take ages before moving to the next length.

> From a specifics point of view, should I share the details of the password and structure? I would have stop using them then. 
> First prize would be if I could keep the passwords secret.

You can try to work from the examples above.

If this doesn't help, then yes you could share the details and if your
other passwords are too similar then stop using this pattern.

You can also use Openwall's password recovery service (recently added to
the Services web page on our website) if your budget permits.  Then
you'd only need to share the details privately, and we'd work from your
dmg2john output file on our hardware (a Linux box with multiple GPUs).

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.