Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20210906153917.GC17177@openwall.com>
Date: Mon, 6 Sep 2021 17:39:17 +0200
From: Solar Designer <solar@...nwall.com>
To: Yan Ngusu <yanngusu05@...il.com>
Cc: john-users@...ts.openwall.com
Subject: Re: crack passphrase in the browsers

Hi Yan,

On Wed, Sep 01, 2021 at 04:09:30PM +0200, Yan Ngusu wrote:
> I know that when you lose your passe phrase, the best thing to do is to
> create a new account.
> But, I've some users, they didn't share some of their passwords, but they
> lost the passphrase.
> 
> So, My questions is:
> 
> 1. There's not another way to recover the account without creating it?

If you administer the system/service where those user accounts are
registered, then you can reset their passwords for them (provided that
you authenticate the people in some other way).

> 2. If Jhon the ripper can help to crack the password on a file, can it do
> the same for a passphrase in the browsers? If Yes, how please?

I don't know what exactly you mean by doing it "in the browsers".

If you mean the user saved their passwords in a web browser, but forgot
the master password for the browser's password storage, then a suitable
JtR "format" could be used to try and recover the master password (if
that password is weak or partially known).  See doc/README.mozilla.

If you mean probing passwords against a remote service via a web
browser, then JtR can not be used for this.  A tool that does something
like this (but not exactly) is THC Hydra (and JtR can be used to feed
candidate passwords into it), but this is generally pointless and could
cause trouble and get you in trouble.  To use a tool like this you need
authorization from whoever runs the service, but they could simply reset
the password(s) for you.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.