On Mon, 2 Jun 2003, Derek Fountain wrote:
As a matter of interest, has anyone on the list tried running John the Ripper on their password file? I just tried mine, and was rather alarmed!
A lot may depend on HOW John tries to crack the passwords. Username=password are detected immediately, even though the passwords may be combination of case/letters/number. Then there are rules for cases and characters etc, which john.ini says, are config dependent. My friend gave me a password [unencrypted] f1aeXced and it was not possible for my P-III 600 to crack it in three months. Uptime nearly 100%. So I guess we are well off mixing cases in alphabets and numbers in between. John's algo seems to have steps like 1. username=password 2. only numbers 3. only letters - lowercase 4. ... .. . etc etc. which is statistically generated based on what people choose to be their passwords, typically. I did the same run for 3500+ passwords for the yppasswd file of 2500 students of IIT Bombay, India. Got 200+ on the same day. Total 350+ by the end of the week. And after that, I was lucky if I got two passwords every subsequent day. Chances are, that if a password is not cracked soon enough, it may take really long to get cracked. But yes, it seems possible, that all of them would be cracked in the END. -- Rohit +9122 5692 2101 G9,Floor-1,Chandivali : SDE : TLSI : 9821394599@bplmobile.com The information below is compulsorily added for non-mahindrabt recepients. ********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com