Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Aug 2010 12:49:22 -0400
From: Brad Tilley <>
Subject: Re: Consonant Vowel Patterns

Charles Weir wrote:
>> I wanted to ask if others had experimented with consonant vowel patterns
>> in password cracking? Perhaps others know this approach by a different
>> name? I believe the proper term is phonology (I may be wrong on that).
>> Here is an example pattern:
> I've played around with that approach. It's actually fairly easy to
> make these rules in JtR. For an example of that check out the
> 'targeted' brute force ruleset I made available here:
> If you don't want to download the whole file, here is one example:
> #four letters followed by two numbers
> $[aeioucrk]$[a-z]$[a-z]$[a-z]$[0-9]$[0-9]
> $[bdfghjlmnpqstvwxyz]$[a-z]$[a-z]$[a-z]$[0-9]$[0-9]
> The reason there are two rules is I just optimized it to try certain
> starting letters first, (I think I was basing it off of a Finnish set,
> but I wrote it a couple of years ago and my memory/notes fail me. I
> mean why did I put 'k' as a common letter?) That aside, it just shows
> that you can easily include additional optimizations.
> The reason why I haven't updated this approach though is that JtR's
> Incremental and Markov modes in general perform much better. That's
> because they use conditional probability of the different letters
> appearing together, (aka 'u' follows 'q' most of the time). In this
> way it mimics your CVCCV approach, but takes it a step further by
> basing each successive C,V,N,S on the previous values.
> I have had some success using a tool like MiddleChild to enhance JtR's
> Markov/Incremental modes by externally adding digits/special
> characters/capitalization.
> In all honesty the performance increase isn't that big, (and depending
> on the dataset/rules you select it can easily do worse), but it does
> help when targeting password creation policies, (You could probably
> achieve much the same results through the use of a custom external
> mode instead). Once again though, I'm using JtR's Incremental/Markov
> modes to produce the base alpha strings.
> I hope this helps.

Yes, thanks Matt, it is helpful. I feel the CV pattern approach has
merit and is somewhere in between pure brute-force and dictionaries. The
sweet spot for it seems to be some 6, 7 and 8 char passwords. After
that, completing the computation for the pattern is not feasible (at
least on a CPU). And when it comes to that point, dictionaries and rules
are better.

Take the word "password" for example. You're much better off putting
password into a dictionary and mangling the heck out of it than to try
all the possible CVCCCVCC patterns (it's just too expensive and

I may drop the idea altogether, but it was fun trying it out. It does
better on "real-word" password lists (15 to 20%) compared to the 10% of
NT hashes it cracked in the contest.


> Matt Weir

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.