Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 3 Aug 2012 12:40:17 -0600
From: Stephen John Smoogen <smooge@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: any plans to support superlong passwords?

On 3 August 2012 12:23, Frank Dittrich <frank_dittrich@...mail.com> wrote:
> On 08/03/2012 08:07 PM, Aleksey Cherepanov wrote:
>> Team Hashcat said: "... recent breaches. Statistically the average
>> password length is eight (8) characters."
>> (https://contest-2012.korelogic.com/team_hashcat.html )
>
> That is he average length of hashes they cracked.
> Did they mention what percentage of hashes they cracked?
> May be the longer passwords remained uncracked.
> So this could also be some kind of "self-fulfilling prophecy.
> Because most passwords had length 8 in the past, the focus on passwords
> of length 8, and (suprise!) they find passwords of length 8.
>
> Frank

OK from looking at what I have from the linkedin.pot

Overall (with 4106655 out of 6143150 cracked in my tests)
1378901 8
 723286 9
 585288 7
 569405 6
 452748 10
 202813 11
 105334 12
  45508 13
  23400 14
  10729 15
   8055 16
[all entries below that are greater than 16 characters]
There are 2 million left, but I have exhausted less than 1% of the 8
character lenths and only 80% of 7 characters (my systems are very
slow that are doing this).

Looking at what has been published about the Eharmony etc match those
general estimates in length]

Concentrating on the part of the linkedin parts that were not previous
hacked (eg not the first 6 digits 0'd out) I had been able to find
1004733 out of 2621970

 354342 8
 246332 9
 158609 10
  79884 11
  58520 7
  44160 12
  22182 13
  15334 6
  12519 14
   6435 15
   5550 16

which basically points an average of 8-9 characters (again 1.1 million
could all be greater than 16 characters and I don't know it yet...
give me 2 years and I can give a better estimate).

Looking though at the plain text ones (eg rockyou and the various
other plaintext ones..) 8 is the average size of passwords there.
Usually in the form of the same ones we have been finding for the last
20 years.

-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ