The unstoppable Carole Fennelly quotes me at myself on password cracker performance

So I just received:

Saw a [re]tweet about improved performance of John the Ripper and recalled this quote from you:

JtR is a jolly good piece of software, and if it works faster or seems better for [you, the systems administrator], then feel free to use it. I will not weep. I will not cry for the blow to my ego. What I will worry for is that by caring which password cracker you are using, you too are propagating a myth — that password crackers are a right and just tool for a systems administrator — when in reality the right tool would be a secure password system, employing shadowing and cracking-resistant hash algorithms with long-input capability, or, better yet, one-time technologies.

So — if you’re using a password cracker, and getting any results out of it whatsoever, go beat up your vendor as loudly as possible and demand something better.

That was over 10 years ago. Amazing how little changes in this industry.



Carole’s right, and indeed I was and am still right on this topic, but CPU-performance being what it is, plus the ill-informed adoption of unsuited password hash algorithms, plus the arrival of the web has magnified beyond all reasonable bounds a problem that should be solved by now – but alas probably never shall.

If you provoke Glyn Wintle he will gleefully explain that with Hashcat passwords of up to about 12 characters are brute-force / exhaustively crackable in the specific circumstance that they have been hashed using something popular and GPU-optimisable like MD5; shorter passwords are still hard to crack if the programmer chose wisely with his choice of hash algorithm.

So we ought all to be using hardware dongles, right? Not really.

If you worry about that sort of thing – and you possibly should – then you need independent belt and braces. A well-specified password authentication followed by a separate, equally well-specified token authentication. Over a cryptographic channel. Probably using SSH-style TOFU/POP (love the name) certificate checks rather than hierarchical Certificate Authorities which invoke a raft of other problems. Oh, and make it open source. πŸ™‚

Crack was posted 20 years ago come July 15th. My, how time flies…

Thanks Carole. πŸ™‚

Leave a Reply

Your email address will not be published. Required fields are marked *