OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: john the ripper

From: Martin Mačok (martin.macokunderground.cz)
Date: Tue Dec 09 2003 - 12:45:07 CST


On Mon, Dec 08, 2003 at 11:58:08AM -0700, Benjamin Tomhave wrote:

> Scary numbers...so, semi-drifting question: how long is an
> "acceptable" length of time to run a cracker before pronouncing that
> uncracked passwords are "reasonably strong and well-chosen"?

I usually run it for several hours, sometimes letting it choking
through the weekend. You can't tell them "reasonably strong or
well-chosen" after a pen-test, only "couldn't crack in X hours on
Y hardware with N/(X*3600) tests per second".

To tell them "reasonably strong", you should let it running for at
least X days where X is their password expiration time.

(It also depends on quality of your wordlist/dictionary...)

--
         Martin Mačok http://underground.cz/
   martin.macokunderground.cz http://Xtrmntr.org/ORBman/

---------------------------------------------------------------------------
----------------------------------------------------------------------------