Date: Wed, 3 Feb 2010 20:11:59 -0700 From: Stephen John Smoogen <smooge@...il.com> To: john-users@...ts.openwall.com Subject: Re: Replacement for all.chr based on "Rock You" Passwords. URL inside. On Wed, Feb 3, 2010 at 4:21 PM, Minga Minga <mingakore@...il.com> wrote: > All, > > As you may know, there was a HUGE list of passwords recently revealed > via a 3rd party web-site attack. This list contained approximately > 32 million passwords. Numerous articles were made on the statistics > of the passwords. All the articles were fine and dandy, but not really > impressive because the "research" done was as simple as 'sort | uniq' > stuff. > > As a password cracking community, we CAN make use of this disclosure > in order to make better dictionaries, but also to improve our brute > forcing technique. > > I dont exactly remember how/when all.chr was created, and I have no > idea the last time it was updated, but I propose we update it > with a .CHR file from the 'RockYou' list mentioned above. I would be a bit apprehensive to use 'just' the RockYou list as the basis of the all.chr set. Yes it is a significant amount of passwords but I would say that someone would need to see how it compares to the older all.chr or a combined all.chr and such versus a sample set of hashes to see 'better' it is. I am guessing that is the research your group will be posting in the future. > Now, I have many opinions about the passwords from the RockYou list. > They are NOT representative of "real" passwords by trained users in > corporate environments. But they ARE representative of idiots on the > Internet. And I guess thats a good enough place to start, as any, for > the default behaviour of JtR. I propose the all.chr update because we > cannot continue to use and propagate a .CHR file that is so outdated > (assuming it is?). > > Since the .chr created from the 'RockYou' list - can NOT be used > to re-create the exact list of passwords, it is not a disclosure of > personal information (up for debate). Therefore, I make the assumption > it is safe for use. Well you can't get the exact list used to create the original all.chr, but you can create enough of the list by using 'john -i --stdout' to hum a few bars. I would expect that it would be the same. > As a note: The wordlist will not be revealed (nor the dictionaries > created from it) by KoreLogic due to it's sensitive nature. If you > have this list, please keep it private for the sake of all users > of this Internet thing everyone is talking about ;) I am pretty sure the list is sadly pretty much common knowledge now.. there are torrents and various sites have copies of it enough that even I found a couple versions today :). > Here is the CHR file, and the README associated with it including > instructions for use, etc. If we don't want to replace all.chr - > instructions are included for using rockyou.chr separately. > > http://www.korelogic.com/tools.html#jtr > > -Minga > KoreLogic > > > ------------ > > Sample output of new .chr file: > > ~/.john$ ./john -i:all -stdout | more > 1233 > 1990 > 1991 > 1920 > 1922 > 1231 > anana > maran > maras > maris > marie > -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.