truncating passwords instead of rejecting them
#3
For DES crypt, it would be extremely useful to be able to apply existing rulesets that generate passwords longer than eight characters, without modifying them.

DES crypt is a special case because it will ignore all characters after the eight character. Users who do not realize this will have passwords based on longer strings. The password that they are remembering and typing in is actually longer than is allowed. This means that the *psychology* behind why they picked their password can be based on more than 8 characters.

This means that rule sets designed to generate passwords longer than 8 characters can actually have a high rate of success in guessing DES crypt passwords.

For practical/efficiency reasons, I would much prefer telling hashcat to truncate all passwords, rather than modifying every rule in a long list of rules scattered across multiple files to use the 'N syntax. This way, I can use the existing rules for both DES and non-DES passwords without modification.

[Edit: and I forgot to add: agreed that tracking what had been tried would be waaay too much overhead, sorry].
~


Messages In This Thread
RE: truncating passwords instead of rejecting them - by royce - 01-14-2015, 09:56 PM