Make it clearer where passwords are in --show output

[solardiz]

As seen in #5058, a new user might not figure out where to look for the cracked password in --show output.

One way to address this is to highlight the passwords in color when output is to a tty.

Another way is to suppress extra fields (beyond field 2) in some cases - or maybe by default, unless explicitly requested otherwise (by option parameter? new option? higher verbosity?)

The latter would also address the issue of parsing --show output with passwords that contain a colon (then everything after first colon is the password, just like in john.pot).

We can also implement both of these ideas.

[solardiz]

We should also look into how --show works on PWDUMP and other prepare()-using formats, and how we'd like it to work after any change we might make here.

[magnumripper]

Another way is to suppress extra fields (beyond field 2) in some cases - or maybe by default

I think we should do this, and by default. Currently, --show is unusable for scripts as you can't tell : is in the password or a field delimiter.

I'd like color as well. I have plans in my head, and in #3511.

IIRC, pwdump and others will still output password as field 2, so the current output is weird with LM hash replaced by the password and the NT hash is shown after it. So the "drop field 3+" would work for them too.

[magnumripper]

On another note, I think the current output for bare hashes is useless, with ?: prepended to every line. Perhaps in that case the output should be hash:password just like the actual pot entry, but with some limit on the hash length. Either just truncate blindly at, say, 64, or some logic for mid truncation such as deadcafebeefabcd(...)babe:password (but causing an exact hash length of 64, with 8 characters on right side of (...) so 51 characters before it).

BTW that goes for real time crack output as well. We currently get password (?) for all of them.

Also, we could change the : in --show output to a tab, by default, or even change it to show similar to real time output - something like:

secret          (admin)
password        (deadcafebeefdefacedb00bfacadec0ffee ... babedeed)

As I wrote in this example, the ... truncation marker should then probably be surrounded by spaces (or nothing), not parens. I think there should be spaces as opposed to nothing, as some Base64 encodings use dots - we should make sure to not look like a complete hash.

[magnumripper]

I edited the two previous comments extensively while brainstorming. I came to the conclusion we should do exactly this:

1. Make --show output exactly the same as real-time crack output for correct guesses.
2. If we don't have a username, use the hash - truncated to eg. 64 characters as in (51chars ... 8chars) in both cases.
3. Given this format, colorization will be mostly pointless (except the current optional ones we already have).