| View previous topic :: View next topic |
| Author |
Message |
OdinsDream
Veteran
Joined: 01 Jun 2002
Posts: 1057
|
 Posted: Wed Jan 14, 2004 4:41 am Post subject: Linux password lengths and John-the-Ripper |
 |
|
I've been playing with wordlists and the program known as John The Ripper. The documentation that comes with the program is rather sparse, but one particular part interested me.
It mentions that passwords beyond length 8 are not tried, since, like a phone number, the extra digits don't really matter. I'm awfully sure this isn't the case. Is John the Ripper simply an ancient program, or is there truth to this?
In any case, what can I do to get John the Ripper to try passwords longer than 8 characters? I have a dictionary of common words, many of which are at least 8 characters long, but it seems that the program simply truncates them.
If anyone has a better suggestion for a program to serve this purpose, I'd love to hear about it. I've tried to get "Crypt" to compile, but that seems futile.
_________________
s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi
Don't blame me. I didn't vote for him.
http://john.simplykiwi.com |
|
| Back to top |
|
 |
teknomage1
Veteran
Joined: 05 Aug 2003
Posts: 1239
Location: Los Angeles, CA
|
| Posted: Wed Jan 14, 2004 5:50 am Post subject: |
|
|
| you have to patch linux's default passwd suite to add support for passwords beyond eight characters in length. This is a holdover from the bygone days of unix. I'm sure there's a howto about it. I read about the problem in "Building secure Linux servers" published by O'Reilly |
|
| Back to top |
|
|
pyrrhik
n00b
Joined: 16 Dec 2003
Posts: 65
|
| Posted: Wed Jan 14, 2004 9:29 am Post subject: |
|
|
| it's been a while since I've spent any quality time with JTR, but if memory serves me right, DES passwords can only be 8 characters long, and everything else is truncated. I used to spend a good deal of time cracking DES passwords, so it was kind of nice, since it did have that 8 char limit on it. every so often, I'd run across MD5 passwords, and those didn't have that limitation on them. thus, most systems now use MD5 by default, which would explain why you're having a hard time believing that it just truncates after 8 characters. |
|
| Back to top |
|
|
OdinsDream
Veteran
Joined: 01 Jun 2002
Posts: 1057
|
| Posted: Wed Jan 14, 2004 2:45 pm Post subject: |
|
|
I'm not at home right now to verify, but I'm fairly certain that John the Ripper indicates the password hashes are DES. Is this to say that it's safe to truncate to 8 characters?
Is there a method of determining whether the hash is MD5 or DES visually, or algorithmically?
--edit--
Well, I just tested an 8-char and 9-char password. They were each equivalent (i.e., i was able to log in with the 8char, when 9char had been set)
fyi: This is a Darwin, MacOSX system.
_________________
s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi
Don't blame me. I didn't vote for him.
http://john.simplykiwi.com |
|
| Back to top |
|
|
Saubloed
n00b
Joined: 15 Jun 2003
Posts: 14
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
