Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Feb 2010 06:40:49 -0500
From: "Matt Weir" <>
To: <>
Subject: RE: Re: Replacement for all.chr based on "Rock You" Passwords. URL 	inside.

Hey Minga, thanks for providing a .chr file based on the RockYou dataset. As
Solar requested I ran some tests against various password lists using your
.chr file, the default JtR All .chr file, along with a custom .chr file I
created based on the dataset. The short version is that the
RockYou set performed the best when cracking other website password lists.
You can find the full results + graphs + a lot of off topic rambling here:

As of right now I don't have a good data-set containing computer log-ins,
(vs website log-ins). Because of that I really want to stress that while
these tests imply that Minga's Rockyou .chr file might perform better when
attacking web based passwords, John the Ripper's default .chr files were
trained on computer passwords. If you are attacking a
LANMAN/NTLM/Crypt(3)/CISCO/etc hash you probably still want to use John's
included .chr files. In fact you defiantly want to use the included .chr
files against LANMAN hashes due to how the hash works, (Only Uppercase, 7
characters max). This also brings up the point that without additional
filters, using other attack types, (such as 'Alnum'), that are provided with
JtR might work better over shorting cracking sessions than using Minga's
RockYou .chr file that includes uppercase, special characters, etc.

Matt Weir

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.