Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKDRQS4icDYLT+8JidH4_HfxtMDcahMMXeJArQmD0F756rNDig@mail.gmail.com>
Date: Thu, 9 Nov 2023 18:37:11 +0000
From: Jimmy Yuen Ho Wong <wyuenho@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: 1password memorable passwords

The problem is hashcat currently does not support dmg/sparsebundle. Right
now I'm just using a tiny Rust program to generate all the combinations and
pipe it to john --stdin, I would love to learn of a faster way tho.

Jimmy


On Thu, Nov 9, 2023 at 4:29 PM Matt Weir <cweir@...edu> wrote:

> The most recent "Crack Me If You Can" password cracking competition had a
> similar challenge, and in my write-up I talked about cracking Correct Horse
> Battery Staple near the end of it. Here's a link to that blog post:
>
>
> https://reusablesec.blogspot.com/2023/08/hashcat-tips-and-tricks-for-hacking.html
>
> I know that this is a John the Ripper mailing list, so my apologies for
> talking about another tool, but Hashcat might scale a bit better for the
> problem you are trying to solve. I will say, hopefully your password is
> only three words long. Four words, while theoretically crackable, will
> require a lot of resources and time. Here is a writeup 1password put out
> regarding a password cracking competition they ran specifically targeting
> their password suggestion algorithm:
>
> https://blog.1password.com/cracking-challenge-update/
>
> Even three words is tough for most people's setups. If you can happen to
> remember one of the words though, it can become a much more solvable
> problem.
>
> Long story short,  hate to be the bearer of bad news, but if you can't
> remember more of your password, you probably are not going to be able to
> crack it.
>
> Cheers,
> Matt / Lakiw
>
> On Thu, Nov 9, 2023 at 9:32 AM magnum <magnumripper@...hmail.com> wrote:
>
> > On 2023-11-09 10:53, Jimmy Yuen Ho Wong wrote:
> > > I'm only trying to generate a rainbow table using 1password's memorable
> > > password rule.
> >
> > A rainbow table is something vastly different and the term should not be
> > misused. You are merely compiling a wordlist!
> >
> > > 1password's memorable password rule is basically the XKCD 936 rule -
> each
> > > word is randomly picked from a list of 18342 words, each word is at
> most
> > 8
> > > characters long, and the password is 3 to 4 words long separated by
> > > hyphens. There are 2^56 combos and obviously I can't generate this
> > wordlist
> > > on disk.
> >
> > Any way you generate it can instead be used directly by a cracker, so
> > storing it on disk is not needed anyway.
> >
> > > I've looked at external modes and it's not obvious to me how the mini
> > > language handles such a large wordlist. It doesn't look like it
> supports
> > > C-strings, 2d arrays or reading a file either. Is there a smarter way
> to
> > > configure and/or script JtR such that it batches and streams a
> > continuously
> > > generated wordlist without me writing a whole different mode?
> >
> > For a slow mode such as DMG, a trivial perl script is probably just fine
> > (you may even be able to find similar such scripts in this list's
> > archives).  We have a PRINCE cracking mode that could almost do what you
> > need with the 18K words list as input.  But it lacks support for putting
> > the hyphens inbetween words, and if we try to work around that by
> > appending a hyphen to each input word, we instead hit the max length
> > limit (would need 35 for 4*8+3 while max for PRINCE is 32).
> >
> > Or you could persuade someone to fix
> > https://github.com/openwall/john/issues/2268 (which would also fix
> > https://github.com/hashcat/princeprocessor/issues/49) - that would solve
> > the problem canonically and it should actually be pretty trivial.  Alas,
> > I do not have time for it.
> >
> > In case you write or find a script/tool that outputs the candidates to
> > stdout, you'll just pipe it like this:
> >
> > some_tool | ./john dmghash.txt -stdin
> >
> > magnum
> >
> >
> >
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.