Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 11:34:50 -0500
From: JimF <>
Subject: Re: New single mode rules

On Mon, 24 Aug 2015 10:27:24 -0500, Frank Dittrich  
<> wrote:

> On 08/24/2015 04:55 PM, JimF wrote:
>> # this is a good rule on larger sites where a user ID may already be  
>> used,
>> # so a user simply appends numbers to create his loginID, but then uses  
>> the
>> # login name he wanted as basis for password. Just strip off digits and
>> treat
>> # the base-word to some manipulation. These rules found from the Asley
>> # Madison leak.  Only adds about 30 tests and only to user names that  
>> have
>> # digits contained within them, and cracks quite a few.
>> /?d @?d
> Good rule when users are allowed to pick their own user name, but their
> favorite name has already been used by someone else.
> But I would require a min length that has to remain after removing the
> digits.

Frank, thanks for the suggestions.  How about this ruleset.  Note I also
added : also, which if there is mixed case, it also uses the exact base in
the mangling.

/?d @?d >4
/?d @?d >4 M [lc] Q
@?D Q >4
/?d M @?d >3 <* [:lc] $[0-9] Q
/?d M @?d >2 <- [:lc] Q Az"12"
/?d M @?d >1 [:lc] Q Az"123" <+
/?d @?d >2 M [:lc] Q d <+
(?a )?d /?d 'p Xpz0
)?a (?d /?a 'p Xpz0

I would like to get updates in, before committing to git again.  Your
suggestions about length were great, as are the 3 new rules.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.