Bug 281311 - john doesn't support incremental cracking of passwords longer than 8 characters
john doesn't support incremental cracking of passwords longer than 8 characters
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: john (Show other bugs)
7
All Linux
medium Severity low
: ---
: ---
Assigned To: Till Maas
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-06 15:19 EDT by william hanlon
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-06 16:14:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description william hanlon 2007-09-06 15:19:39 EDT
Description of problem:
John the ripper does not support cracking in incremental mode of passwords
longer than 8 characters. But MD5 hashed passwords, the default scheme shipped
with fedora, support much longer length passwords. John as currently shipped can
not therefore be used reliably to check the integrity of passwords in
incremental mode.

Version-Release number of selected component (if applicable):
john-1.7.0.2-3.fc7

How reproducible:
always

Steps to Reproduce:
1. edit /etc/john.conf by changing MaxLen to a value greater than 8.
  
Actual results:
For instance if I set MaxLen = 14, john reports:

MaxLen = 14 exceeds the compile-time limit of 8

There are several good reasons why you probably don't need to raise it:
- many hash types don't support passwords (or password halves) longer than
7 or 8 characters;
- you probably don't have sufficient statistical information to generate a
charset file for lengths beyond 8;
- the limitation applies to incremental mode only.

Expected results:
john should run in incremental mode.


Additional info:
Since the minimum password length is 6 by default and john restricts the max
length to 8, incremental mode can only possibly crack a small number of
passwords. This is dependent on the average length of users' passwords of
course, but I know of some systems that use passwords longer than 8 characters.

If fedora ships with a default password scheme that allows for longer passwords
then john should have a more reasonable MaxLen compiled in.
Comment 1 Till Maas 2007-09-06 16:14:12 EDT
Did you read the thread beginning in
http://www.openwall.com/lists/john-users/2007/07/03/1
and all its references and especially the following mail?
http://www.openwall.com/lists/john-users/2007/07/04/5

Imho it does not make much sense to use incremental mode for very long
passwords, because it will take too long. Using a wordlist is a more realistic
approach. Therefore I guess I close this ticket WONTFIX. Maybe you can persuade
someone to collect statistical information for longer passwords and submit it
upstream, then it will get into Fedora's john eventually.

Note You need to log in before you can comment on or make changes to this bug.