Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: john the ripper

From: Martin Mačok <martin.macok () underground cz>
Date: Tue, 9 Dec 2003 19:45:07 +0100
On Mon, Dec 08, 2003 at 11:58:08AM -0700, Benjamin Tomhave wrote:


Scary numbers...so, semi-drifting question: how long is an
"acceptable" length of time to run a cracker before pronouncing that
uncracked passwords are "reasonably strong and well-chosen"?


I usually run it for several hours, sometimes letting it choking
through the weekend. You can't tell them "reasonably strong or
well-chosen" after a pen-test, only "couldn't crack in X hours on
Y hardware with N/(X*3600) tests per second".

To tell them "reasonably strong", you should let it running for at
least X days where X is their password expiration time.

(It also depends on quality of your wordlist/dictionary...)

-- 
         Martin Mačok                 http://underground.cz/
   martin.macok () underground cz        http://Xtrmntr.org/ORBman/

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: