OpenPasswordFilter icon indicating copy to clipboard operation
OpenPasswordFilter copied to clipboard

Published 20 hours ago verified publisher icon brockrob

Service is unable to load huge Password File

Open ForumSchlampe opened this issue 6 years ago • 7 comments

System Windows Server 2012 R2 most recent patch level

Reproduce: Install OpenPasswordFilter + Service as described Use as password list weakpass 2.0 ( https://weakpass.com/wordlist/1859 ) Start the Service

Problem A huge amount of event entries with id 101 First logged Errortext: "Died trying to ingest line number 25643819" At this point the service was at about 900MB It counted up very slowly but the error was persistent for each new line.

The password in the above line is nothing special KDUAS

ForumSchlampe avatar Nov 12 '18 07:11 ForumSchlampe

That's a 28GB wordlist. Even if you can get that loaded, I would not expect it to be fast.

If you really want to (and you actually have domain controllers with that much RAM), you need to start worrying about https://www.codeproject.com/Articles/483475/Memory-Limits-in-a-NET-Process

Now that we're querying the haveibeenpwned API, there's probably not much value in using such a huge and exhaustive wordlist anyway.

brockrob avatar Nov 12 '18 09:11 brockrob

I know, similar to the one haveibeenpwned list without API

Do we realy touch those limits with the service, doesnt we run the service in "User-mode virtual address space for each 64-bit process" which is pretty huge on x64 systems?

While our Domain Controllers cannot reach the Internet, we depend on local available wordlists. Amount of memory wont be a problem, we try to avoid to use a sql database on a 3rd system so anything for a working solution runs on the domain controllers.

ForumSchlampe avatar Nov 12 '18 10:11 ForumSchlampe

The password match list goes into a hashset, and that has limitations: https://blog.mischel.com/2008/04/09/hashset-limitations/

You can probably make some significant headway by pruning your wordlist. There's no point in having entries that are shorter than your domain's minimum password length setting, and match checking is case insensitive so you can lowercase and deduplicate the entire list too.

brockrob avatar Nov 12 '18 10:11 brockrob

Already trying what is left after pruning the wordlist...but takes time

While i am not very familiar with programming, if we hash the list in advance, does this limit still apply?

ForumSchlampe avatar Nov 12 '18 10:11 ForumSchlampe

Did a fork with an collegue to fix this (mainly it is now a 64bit only project) so the limits will not apply, big files are no problem

Pruning the wordlist resulted in a 16gb file, loading this was a mess (takes up to ~90min and consumes 100gb ram) but while running it is fast, very fast!

ForumSchlampe avatar Nov 16 '18 07:11 ForumSchlampe

That's a lot of RAM for a DC!

I'd take a look at the dll if it's taking 90 minutes for the service to come up. It's configured to fail open, meaning allow any password changes if the service is unreachable.

brockrob avatar Nov 16 '18 09:11 brockrob

So we`ve done some improvements in our fork to handle this, if the service doesnt respond the response is negative/false

It is now possible to load very huge password files (if theres enough memory), optionally use mssql/mysql database (not entire sure if mysql implementation is the best but it works) and haveibeenpwned api is now configurable.

ForumSchlampe avatar Jan 12 '19 12:01 ForumSchlampe