Home page logo

pen-test logo Penetration Testing mailing list archives

Re: john the ripper
From: Martin Mačok <martin.macok () underground cz>
Date: Tue, 9 Dec 2003 19:45:07 +0100

On Mon, Dec 08, 2003 at 11:58:08AM -0700, Benjamin Tomhave wrote:

Scary numbers...so, semi-drifting question: how long is an
"acceptable" length of time to run a cracker before pronouncing that
uncracked passwords are "reasonably strong and well-chosen"?

I usually run it for several hours, sometimes letting it choking
through the weekend. You can't tell them "reasonably strong or
well-chosen" after a pen-test, only "couldn't crack in X hours on
Y hardware with N/(X*3600) tests per second".

To tell them "reasonably strong", you should let it running for at
least X days where X is their password expiration time.

(It also depends on quality of your wordlist/dictionary...)

         Martin Mačok                 http://underground.cz/
   martin.macok () underground cz        http://Xtrmntr.org/ORBman/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]