Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 09:55:09 -0500
From: JimF <>
Subject: New single mode rules

I have added this new block to the single rules. I put it pretty high in  
list. It seems to catch quite a few for a larger set of users, where a user
wants a signin id, but it is not available. There are a lot of users that
keep that id, but append numbers to get something unique, but then base
their password on the signin id they 'really' wanted to use.  This rule set
is now checked into the bleeding-jumbo git repo.

Example would be something like:

eddie121967  with password eddie123   (fabricated, but I've seen many like  

# this is a good rule on larger sites where a user ID may already be used,
# so a user simply appends numbers to create his loginID, but then uses the
# login name he wanted as basis for password. Just strip off digits and  
# the base-word to some manipulation. These rules found from the Asley
# Madison leak.  Only adds about 30 tests and only to user names that have
# digits contained within them, and cracks quite a few.
/?d @?d
/?d @?d M [lc] Q
/?d M @?d [lc] $[0-9] Q
/?d M @?d [lc] Q Az"12"
/?d M @?d [lc] Q Az"123"
/?d @?d [lc] d

I have not posted this to john-users (yet), because I wanted others to look
things over a bit, just to make sure, or if there is a way to do the same
thing faster or with fewer rules.  I have run unique on full resultant
output, and it does not create any dupes from existing single rules, but
there frequently are a couple of dupes for user id's ending in digits.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.