Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 14 Feb 2010 07:58:40 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Replacement for all.chr based on "Rock You" Passwords. URL inside.

On Fri, Feb 12, 2010 at 01:47:04AM +0100, Magnum P. I. wrote:
> ... How about making a combined charset (or stats file) from
> both rockyou.com *and* phpbb.com datasets (provided you've got the phpbb
> one, I don't have it and can't find it) and see if it performs better or
> worse in the test cases (particularly the myspace and faithwriters
> tests) than they do separately? I guess at some point a charset file
> will become too "diluted". If Solar has the "source" for the original
> charsets, it would also be interesting to test if including that one too
> in a 'mega charset' would increase or decrease the performance in those
> cases.

The problem with this is that the RockYou list is so large that adding
to it won't make much of a difference - until we possibly have other
similarly large lists.  For example, if we add a 300k list to RockYou's
32M list, the combined list will be 99% RockYou.

Maybe we need to define and implement some sort of weighted averaging.
We can do something like this for common passwords (those appearing on
the lists more than once) by means external to JtR.  However, for the
trigraph, digraph, and character frequencies in passwords appearing only
once, this averaging over multiple input data sets will have to be
integrated into JtR's charset.c.  Well, or maybe it could be applied to
ordered character lists and the "cracking order" array already in .chr
files, combining several .chr files for different data sets into one.
This would take a new program yet to be developed.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.