Date: Mon, 7 Dec 2009 21:46:26 -0500 From: "Matt Weir" <cweir@...edu> To: <john-users@...ts.openwall.com> Subject: RE: password ranking Hey Luke, First, I read your blog http://lukenotricks.blogspot.com/ and I really enjoy it. I'm actually writing my dissertation on password cracking and I've spent a lot of time struggling with the very same problem you posted. Fist, as Simon said, his Markov model includes a really nice option to estimate the strength of a password against Markov based bruteforceing. Second, the guys at electricalalchemy.net did a great write-up on their experiences using Amazon's EC2 service to do cloud password cracking. They were only doing pure-brute force, (not even letter frequency analysis enhanced), so their overall estimates aren't very accurate, (JtR's Incremental and Markov modes blow that out of the water), but still it can give you a nice estimate on how much it would cost to make a certain number of guesses. The three posts on that are: http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.ht ml http://news.electricalchemy.net/2009/11/cracking-passwords-in-cloud-q.html I've been writing a couple of blog entries on how the 10k hotmail password set faired against the different brute force methods supported by John the Ripper, (aka pure-bruteforce, letter frequency analysis, incremental, and Markov). I'm currently finishing one up on dictionary based attacks and hopefully will have it up by the end of the week. The six current posts are: http://reusablesec.blogspot.com/2009/10/10k-hotmail-passwords.html http://reusablesec.blogspot.com/2009/10/analysis-of-hotmail-passwords-by-oth er.html http://reusablesec.blogspot.com/2009/10/analysis-of-10k-hotmail-passwords-pa rt.html http://reusablesec.blogspot.com/2009/10/analysis-of-10k-hotmail-passwords-pa rt_18.html http://reusablesec.blogspot.com/2009/10/analysis-of-10k-hotmail-passwords-ev en.html http://reusablesec.blogspot.com/2009/11/analysis-of-10k-hotmail-passwords-pa rt.html I've also been doing some work with a modified version of edit distance to attempt to reverse mangle passwords. Aka, it would take the password P@...ord99, and say that the base word was 'password', and that the user uppercased the first letter, changed the 'a' to an '@', and added the number 99 to the end. Then I can look through different password cracking rule-sets and try to see if they contain that exact rule, and if the word 'password' was in my input dictionary. If so, I can then roughly estimate how many guesses it would take to crack the password. There's a lot of work I still need to do on that though. Finally, I'm doing some work with probabilistic password cracking, where my professors and I are attempting a new way of modeling how people create passwords using context free grammars. I'm using JtR as the backend cracker, and pipeing guesses into JtR, (using the -stdin option), using our tool in probability order. My current implementation is fairly well weaponized and I have been having a ton of success with it on some of the lists we are working on. A copy of our IEEE S&P paper on an older version of our tool can be found here: http://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxyZXVzYW JsZXNlY3xneDo3N2ZhNzBmN2MyZWU4OTY5 I'd love to talk more about this but I don't want to get too far off the topic of John the Ripper on this mailing list. My e-mail is weir@...fsu.edu if you have any questions though. Matt Weir
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.