281311 – john doesn't support incremental cracking of passwords longer than 8 characters

Bug 281311 - john doesn't support incremental cracking of passwords longer than 8 characters

Summary: john doesn't support incremental cracking of passwords longer than 8 characters

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	john
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Till Maas
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-06 19:19 UTC by william hanlon
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-09-06 20:14:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description william hanlon 2007-09-06 19:19:39 UTC

Description of problem:
John the ripper does not support cracking in incremental mode of passwords
longer than 8 characters. But MD5 hashed passwords, the default scheme shipped
with fedora, support much longer length passwords. John as currently shipped can
not therefore be used reliably to check the integrity of passwords in
incremental mode.

Version-Release number of selected component (if applicable):
john-1.7.0.2-3.fc7

How reproducible:
always

Steps to Reproduce:
1. edit /etc/john.conf by changing MaxLen to a value greater than 8.
  
Actual results:
For instance if I set MaxLen = 14, john reports:

MaxLen = 14 exceeds the compile-time limit of 8

There are several good reasons why you probably don't need to raise it:
- many hash types don't support passwords (or password halves) longer than
7 or 8 characters;
- you probably don't have sufficient statistical information to generate a
charset file for lengths beyond 8;
- the limitation applies to incremental mode only.

Expected results:
john should run in incremental mode.


Additional info:
Since the minimum password length is 6 by default and john restricts the max
length to 8, incremental mode can only possibly crack a small number of
passwords. This is dependent on the average length of users' passwords of
course, but I know of some systems that use passwords longer than 8 characters.

If fedora ships with a default password scheme that allows for longer passwords
then john should have a more reasonable MaxLen compiled in.

Comment 1 Till Maas 2007-09-06 20:14:12 UTC

Did you read the thread beginning in
http://www.openwall.com/lists/john-users/2007/07/03/1
and all its references and especially the following mail?
http://www.openwall.com/lists/john-users/2007/07/04/5

Imho it does not make much sense to use incremental mode for very long
passwords, because it will take too long. Using a wordlist is a more realistic
approach. Therefore I guess I close this ticket WONTFIX. Maybe you can persuade
someone to collect statistical information for longer passwords and submit it
upstream, then it will get into Fedora's john eventually.

Note You need to log in before you can comment on or make changes to this bug.