Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Feb 2010 20:11:59 -0700
From: Stephen John Smoogen <>
Subject: Re: Replacement for all.chr based on "Rock You" 
	Passwords. URL inside.

On Wed, Feb 3, 2010 at 4:21 PM, Minga Minga <> wrote:
> All,
> As you may know, there was a HUGE list of passwords recently revealed
> via a 3rd party web-site attack. This list contained approximately
> 32 million passwords. Numerous articles were made on the statistics
> of the passwords.  All the articles were fine and dandy, but not really
> impressive because the "research" done was as simple as 'sort | uniq'
> stuff.
> As a password cracking community, we CAN make use of this disclosure
> in order to make better dictionaries, but also to improve our brute
> forcing technique.
> I dont exactly remember how/when all.chr was created, and I have no
> idea the last time it was updated, but I propose we update it
> with a .CHR file from the 'RockYou' list mentioned above.

I would be a bit apprehensive to use 'just' the RockYou list as the
basis of the all.chr set. Yes it is a significant amount of passwords
but I would say that someone would need to see how it compares to the
older all.chr or a combined all.chr and such versus a sample set of
hashes to see 'better' it is. I am guessing that is the research your
group will be posting in the future.

> Now, I have many opinions about the passwords from the RockYou list.
> They are NOT representative of "real" passwords by trained users in
> corporate environments. But they ARE representative of idiots on the
> Internet. And I guess thats a good enough place to start, as any, for
> the default behaviour of JtR. I propose the all.chr update because we
> cannot continue to use and propagate a .CHR file that is so outdated
> (assuming it is?).
> Since the .chr created from the 'RockYou' list - can NOT be used
> to re-create the exact list of passwords, it is not a disclosure of
> personal information (up for debate). Therefore, I make the assumption
> it is safe for use.

Well you can't get the exact list used to create the original all.chr,
but you can create enough of the list by using  'john -i --stdout' to
hum a few bars. I would expect that it would be the same.

> As a note: The wordlist will not be revealed (nor the dictionaries
> created from it) by KoreLogic due to it's sensitive nature. If you
> have this list, please keep it private for the sake of all users
> of this Internet thing everyone is talking about ;)

I am pretty sure the list is sadly pretty much common knowledge now..
there are torrents and various sites have copies of it enough that
even I found a couple versions today :).

> Here is the CHR file, and the README associated with it including
> instructions for use, etc. If we don't want to replace all.chr -
> instructions are included for using rockyou.chr separately.
> -Minga
> KoreLogic
> ------------
> Sample output of new .chr file:
> ~/.john$ ./john -i:all -stdout | more
> 1233
> 1990
> 1991
> 1920
> 1922
> 1231
> anana
> maran
> maras
> maris
> marie

Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.