Date: Thu, 12 Aug 2010 12:49:22 -0400 From: Brad Tilley <brad@...ystems.com> To: john-users@...ts.openwall.com Subject: Re: Consonant Vowel Patterns Charles Weir wrote: >> I wanted to ask if others had experimented with consonant vowel patterns >> in password cracking? Perhaps others know this approach by a different >> name? I believe the proper term is phonology (I may be wrong on that). >> Here is an example pattern: >> >> CVCCVC > > I've played around with that approach. It's actually fairly easy to > make these rules in JtR. For an example of that check out the > 'targeted' brute force ruleset I made available here: > > http://sites.google.com/site/reusablesec/Home/john-the-ripper-files/john-the-ripper-sample-configs-1 > > If you don't want to download the whole file, here is one example: > > #four letters followed by two numbers > $[aeioucrk]$[a-z]$[a-z]$[a-z]$[0-9]$[0-9] > $[bdfghjlmnpqstvwxyz]$[a-z]$[a-z]$[a-z]$[0-9]$[0-9] > > The reason there are two rules is I just optimized it to try certain > starting letters first, (I think I was basing it off of a Finnish set, > but I wrote it a couple of years ago and my memory/notes fail me. I > mean why did I put 'k' as a common letter?) That aside, it just shows > that you can easily include additional optimizations. > > The reason why I haven't updated this approach though is that JtR's > Incremental and Markov modes in general perform much better. That's > because they use conditional probability of the different letters > appearing together, (aka 'u' follows 'q' most of the time). In this > way it mimics your CVCCV approach, but takes it a step further by > basing each successive C,V,N,S on the previous values. > > I have had some success using a tool like MiddleChild to enhance JtR's > Markov/Incremental modes by externally adding digits/special > characters/capitalization. > > http://sites.google.com/site/reusablesec/Home/password-cracking-tools/middle-child > > In all honesty the performance increase isn't that big, (and depending > on the dataset/rules you select it can easily do worse), but it does > help when targeting password creation policies, (You could probably > achieve much the same results through the use of a custom external > mode instead). Once again though, I'm using JtR's Incremental/Markov > modes to produce the base alpha strings. > > I hope this helps. Yes, thanks Matt, it is helpful. I feel the CV pattern approach has merit and is somewhere in between pure brute-force and dictionaries. The sweet spot for it seems to be some 6, 7 and 8 char passwords. After that, completing the computation for the pattern is not feasible (at least on a CPU). And when it comes to that point, dictionaries and rules are better. Take the word "password" for example. You're much better off putting password into a dictionary and mangling the heck out of it than to try all the possible CVCCCVCC patterns (it's just too expensive and unproductive). I may drop the idea altogether, but it was fun trying it out. It does better on "real-word" password lists (15 to 20%) compared to the 10% of NT hashes it cracked in the contest. Brad > Matt Weir > http://reusablesec.blogspot.com
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.