Date: Wed, 3 Feb 2010 17:21:29 -0600 From: Minga Minga <mingakore@...il.com> To: john-users@...ts.openwall.com Subject: Replacement for all.chr based on "Rock You" Passwords. URL inside. All, As you may know, there was a HUGE list of passwords recently revealed via a 3rd party web-site attack. This list contained approximately 32 million passwords. Numerous articles were made on the statistics of the passwords. All the articles were fine and dandy, but not really impressive because the "research" done was as simple as 'sort | uniq' stuff. As a password cracking community, we CAN make use of this disclosure in order to make better dictionaries, but also to improve our brute forcing technique. I dont exactly remember how/when all.chr was created, and I have no idea the last time it was updated, but I propose we update it with a .CHR file from the 'RockYou' list mentioned above. Now, I have many opinions about the passwords from the RockYou list. They are NOT representative of "real" passwords by trained users in corporate environments. But they ARE representative of idiots on the Internet. And I guess thats a good enough place to start, as any, for the default behaviour of JtR. I propose the all.chr update because we cannot continue to use and propagate a .CHR file that is so outdated (assuming it is?). Since the .chr created from the 'RockYou' list - can NOT be used to re-create the exact list of passwords, it is not a disclosure of personal information (up for debate). Therefore, I make the assumption it is safe for use. So what KoreLogic did was, obtained the list, cleaned up the list, obtained a unique list of passwords from the list (14,249,979 in total) and created a .CHR file based on this list. We are now publishing this new .chr file for everyone to use. In the next few months, KoreLogic will be posting a large amount of password-based research on our website. Mostly based around new techniques, new rules, and automation of large jobs to be run across multiple systems. KoreLogic will also be doing multiple presentations about Security Cons this year presenting our tools/rules/research in 2010 as well. As a note: The wordlist will not be revealed (nor the dictionaries created from it) by KoreLogic due to it's sensitive nature. If you have this list, please keep it private for the sake of all users of this Internet thing everyone is talking about ;) Here is the CHR file, and the README associated with it including instructions for use, etc. If we don't want to replace all.chr - instructions are included for using rockyou.chr separately. http://www.korelogic.com/tools.html#jtr -Minga KoreLogic ------------ Sample output of new .chr file: ~/.john$ ./john -i:all -stdout | more 1233 1990 1991 1920 1922 1231 anana maran maras maris marie
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.