Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: John the Ripper 1.7; pam_passwdqc 1.0+; tcb 1.0; phpass 0.0



> -----Original Message-----
> From: Solar Designer [mailto:solar@xxxxxxxxxxxx] 
> Sent: Thursday, February 09, 2006 5:07 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: John the Ripper 1.7; pam_passwdqc 1.0+; tcb 1.0; phpass 0.0
> 
> Hi,
> 
> This is to announce several related items at once. :-)
> 
> After 7+ years of development snapshots only (yes, I know, that was
> wrong), John the Ripper 1.7 release is out:
> 
>       http://www.openwall.com/john/
> 
> John the Ripper is a fast password cracker, currently available for
> many flavors of Unix (11 are officially supported, not counting
> different architectures), DOS, Win32, BeOS, and OpenVMS (the latter
> with a patch or unofficial builds by Jean-loup Gailly).  Its primary
> purpose is to detect weak Unix passwords.  Besides several crypt(3)
> password hash types most commonly found on various Unix flavors,
> supported out of the box are Kerberos/AFS and Windows NT/2000/XP LM
> hashes, plus many more with contributed patches.
> 
> The changes made since the last development snapshot (1.6.40) 
> are minor,
> however the changes made since 1.6 are substantial:
> 
>       http://www.openwall.com/john/doc/CHANGES.shtml
> 
> John the Ripper became a lot faster, primarily at DES-based hashes.
> This is possible due to the use of better algorithms (bringing more
> inherent parallelism of trying multiple candidate passwords down to
> processor instruction level), better optimized code, and new hardware
> capabilities (such as AltiVec available on PowerPC G4 and G5 
> processors).
> 
> In particular, John the Ripper 1.7 is a lot faster at Windows 
> LM hashes
> than version 1.6 used to be.  John's "raw" performance at LM hashes is
> now similar to or even slightly better than that of commercial Windows
> password crackers such as LC5, -- and that's despite John trying
> candidate passwords in a more sophisticated order based on statistical
> information (resulting in typical passwords getting cracked earlier).
> 
> John 1.7 also improves on the use of MMX on x86 and starts to use
> AltiVec on PowerPC processors when cracking DES-based hashes (that
> is, both Unix crypt(3) and Windows LM hashes).  To my knowledge, John
> 1.7 (or rather, one of the development snapshots leading to this
> release) is the first program to cross the 1 million Unix crypts per
> second boundary on a general-purpose CPU.  John 1.7 achieves up to
> 1.6M c/s raw performance (with no matching salts) on a PowerPC G5 at
> 2.7 GHz (or 1.1M c/s on a 1.8 GHz) and approaches 1M c/s on 
> the fastest
> x86 CPUs currently available.
> 
> Additionally, John 1.7 makes an attempt at generic 
> vectorization support
> for bitslice DES (would anyone try to set DES_BS_VECTOR high 
> and compile
> this on a real vector computer, with compiler vectorizations 
> enabled?),
> will do two MD5 hashes at a time on RISC architectures (with mixed
> instructions, allowing more instructions to be issued each cycle), and
> includes some Blowfish x86 assembly code optimizations for older x86
> processors (Intel PPro through P3 and AMD K6) with no impact on newer
> ones due to runtime CPU type detection.
> 
> Speaking of the actual features, John the Ripper 1.7 adds an event
> logging framework (John will now log how it proceeds through stages of
> each of its cracking modes - word mangling rules being tried, etc.),
> better idle priority emulation with POSIX scheduling calls (once
> enabled, this almost eliminates any impact John has on performance of
> other applications on the system), system-wide installation 
> support for
> use by *BSD ports and Linux distributions, and support for AIX,
> DU/Tru64 C2, and HP-UX tcb files in the "unshadow" utility.
> 
> Finally, there are plenty of added pre-configured make targets with
> optimal settings, including for popular platforms such as 
> Linux/x86-64,
> Linux/PowerPC (including ppc64 and AltiVec), Mac OS X 
> (PowerPC and x86),
> Solaris/sparc64, OpenBSD on almost anything 32-bit and 
> 64-bit, and more.
> 
> On a related note, pam_passwdqc and our tcb suite became mature enough
> for their 1.0 releases.
> 
> pam_passwdqc is a simple password strength checking module 
> for PAM-aware
> password changing programs, such as passwd(1).  In addition 
> to checking
> regular passwords, it offers support for passphrases and can provide
> randomly generated ones.  All features are optional and can be
> (re-)configured without rebuilding.
> 
> pam_passwdqc works on Linux, FreeBSD 5+ (in fact, it's been integrated
> into FreeBSD), Solaris, HP-UX 11+, and reportedly on recent 
> versions of
> IRIX.  Additionally, Damien Miller has developed and contributed a
> plugin password strength checker for OpenBSD based on pam_passwdqc.
> This plugin is now linked from the contributed resources list on the
> pam_passwdqc homepage:
> 
>       http://www.openwall.com/passwdqc/
> 
> The tcb package contains core components of our tcb suite implementing
> the alternative password shadowing scheme on Openwall GNU/*/Linux and
> distributions by ALT Linux team.  This allows core system 
> utilities such
> as passwd(1) to operate with little privilege, eliminating 
> the need for
> SUID to root programs.  The tcb suite has been in production use for
> some years and has proven to work well.  Its homepage is:
> 
>       http://www.openwall.com/tcb/
> 
> The tcb suite has been designed and implemented primarily by 
> Rafal Wojtczuk,
> with significant contributions from me and Dmitry V. Levin.
> 
> Finally, I've developed and placed into the public domain a 
> portable PHP
> password hashing framework.  The intent is to allow PHP application
> developers to use state of the art password hashing without 
> learning the
> arcane details of the PHP crypt() function.  The homepage for this
> framework is:
> 
>       http://www.openwall.com/phpass/
> 
> Enjoy!
> 
> -- 
> Alexander Peslyak <solar at openwall.com>
> GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 
> A290 B35D 3598
> http://www.openwall.com - bringing security into open 
> computing environments
> 



 




Copyright © Lexa Software, 1996-2009.