Solar Designer

> I'm also pondering a new flag (eg. 0x800) for benchmark_length, meaning "benchmark all different costs [that we have test vectors for] separately" (only considering first cost, for a start)....

> sticking a capital letter and a number into their password (usually at the start and end respectively) FWIW, the usual "at the start and end respectively" would not satisfy...

Regarding Windows password policies, maybe you can get some of your client companies to deploy our `passwdqc`? It can be used to implement a similar policy, but without the obvious...

End of thread on john-users, where I described my experiments last year: https://www.openwall.com/lists/john-users/2021/05/05/3 Edit: and here's start of sub-thread showing a ~10% improvement: https://www.openwall.com/lists/john-users/2021/05/02/1

BTW, something we haven't yet tried is generating from our new `password.lst`, which is overlap of top HIBP v8 with RockYou. Maybe you try that in the same way you...

@rbsec Thanks. You can also try generating from more (many million) of HIBP, or e.g. from https://github.com/rarecoil/hashes.org-list

> Combined = Combination of the above three (no deduplication) > Interestingly, the combined charset didn't perform that well Maybe it would perform better for you with deduplication.

These are interesting results, @rbsec! I just realized that our default `--external=policy` includes a check for the length being exactly 8, just as an example. Did you keep that check...

> extending the `policy` to require uppercase letters, lowercase letters and _either_ numbers of symbols (although actually done with grep): You can try this - the same as your grep?...

> increasing that minimum length to 8 might be good for the complex one - I'll give it a go and see if it makes any difference. I don't recommend...