Red Hat Bugzilla – Bug 281311
john doesn't support incremental cracking of passwords longer than 8 characters
Last modified: 2007-11-30 17:12:15 EST
Description of problem:
John the ripper does not support cracking in incremental mode of passwords
longer than 8 characters. But MD5 hashed passwords, the default scheme shipped
with fedora, support much longer length passwords. John as currently shipped can
not therefore be used reliably to check the integrity of passwords in
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. edit /etc/john.conf by changing MaxLen to a value greater than 8.
For instance if I set MaxLen = 14, john reports:
MaxLen = 14 exceeds the compile-time limit of 8
There are several good reasons why you probably don't need to raise it:
- many hash types don't support passwords (or password halves) longer than
7 or 8 characters;
- you probably don't have sufficient statistical information to generate a
charset file for lengths beyond 8;
- the limitation applies to incremental mode only.
john should run in incremental mode.
Since the minimum password length is 6 by default and john restricts the max
length to 8, incremental mode can only possibly crack a small number of
passwords. This is dependent on the average length of users' passwords of
course, but I know of some systems that use passwords longer than 8 characters.
If fedora ships with a default password scheme that allows for longer passwords
then john should have a more reasonable MaxLen compiled in.
Did you read the thread beginning in
and all its references and especially the following mail?
Imho it does not make much sense to use incremental mode for very long
passwords, because it will take too long. Using a wordlist is a more realistic
approach. Therefore I guess I close this ticket WONTFIX. Maybe you can persuade
someone to collect statistical information for longer passwords and submit it
upstream, then it will get into Fedora's john eventually.