Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Feb 2010 17:21:29 -0600
From: Minga Minga <>
Subject: Replacement for all.chr based on "Rock You" Passwords. URL inside.


As you may know, there was a HUGE list of passwords recently revealed
via a 3rd party web-site attack. This list contained approximately
32 million passwords. Numerous articles were made on the statistics
of the passwords.  All the articles were fine and dandy, but not really
impressive because the "research" done was as simple as 'sort | uniq'

As a password cracking community, we CAN make use of this disclosure
in order to make better dictionaries, but also to improve our brute
forcing technique.

I dont exactly remember how/when all.chr was created, and I have no
idea the last time it was updated, but I propose we update it
with a .CHR file from the 'RockYou' list mentioned above.

Now, I have many opinions about the passwords from the RockYou list.
They are NOT representative of "real" passwords by trained users in
corporate environments. But they ARE representative of idiots on the
Internet. And I guess thats a good enough place to start, as any, for
the default behaviour of JtR. I propose the all.chr update because we
cannot continue to use and propagate a .CHR file that is so outdated
(assuming it is?).

Since the .chr created from the 'RockYou' list - can NOT be used
to re-create the exact list of passwords, it is not a disclosure of
personal information (up for debate). Therefore, I make the assumption
it is safe for use.

So what KoreLogic did was, obtained the list, cleaned up the list,
obtained a unique list of passwords from the list (14,249,979 in total)
and created a .CHR file based on this list. We are now publishing this
new .chr file for everyone to use.

In the next few months, KoreLogic will be posting a large amount of
password-based research on our website. Mostly based around new
techniques, new rules, and automation of large jobs to be run across
multiple systems. KoreLogic will also be doing multiple presentations
about Security Cons this year presenting our tools/rules/research
in 2010 as well.

As a note: The wordlist will not be revealed (nor the dictionaries
created from it) by KoreLogic due to it's sensitive nature. If you
have this list, please keep it private for the sake of all users
of this Internet thing everyone is talking about ;)

Here is the CHR file, and the README associated with it including
instructions for use, etc. If we don't want to replace all.chr -
instructions are included for using rockyou.chr separately.



Sample output of new .chr file:

~/.john$ ./john -i:all -stdout | more

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.