Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Aug 2010 21:28:52 -0400
From: Rich Rumble <>
Subject: Statistics - Real World

With the disscussion about "real-world" passwords going on, I thought I'd ask a
question: Is there a script or method anyone knows of that we all might use to
both collaborate and report on our real-world passwords? Is there something I
can run that looks at the pot file, the hash file and perhaps the session log
file(s), and might pull out useful information; like what rules seem to crack
passwords first, and what those passwords are made of, perhaps even their CV
patterns... CVVCDPS (d= digit p= punctuation s= special (like tilde)). Perhaps
we could get stats on password lengths, how many were alpha only, digits only
...etc. I know someone who could write something like that in PHP, but I'm sure
perl or python may be preferred. I'm just an "idea guy" and a script kiddie, so
I know next to nothing on what it would take to do something like that, but I
think if we could all work together and ascertain what real-world passes we see
and what hash types we see them in we might improve JtR that much further!

I know at my day job I see plenty of date passwords, it's when the users were
forced to reset, of the helpdesk reset it for them, then they just incremented
it by one or rearranged it. We dump the users histories and the patterns become
clear when you look at them, you can see what their next password will be 99%

I also noted that our users do the l337 substitutions, but not every
o=0 or every
e=3, and Solars suggested rules for my question definitely helped me find passes
much faster than incremental mode did/would. Even after reading and re-reading
the RULES file, I have a hard time knowing how it's doing what it's doing. I
know I've been hesitant to ask for assistance on the list because I was blindly
 running JtR and it's rules as is and not fully understanding how to take
advantage of it's powerful modes and mangling abilities.

Solar also scared/scares me, your program and it's abilities are awe
inspiring to
say the least, ahead of it's time for sure, and I think my first response or
question to the list I top or bottom posted, then my email margins were over 80
characters, and another person had a "confidentiality" disclaimer... might have
been another list, but somehow I felt awkward/out of place at first.
I don't care about that now, I'm here to stay.

I am going to ask my friend to help write up something in php in the hopes that
it will be useful perhaps to others. Maybe Markov stat files do something like
this already and it could be adapted/expanded, I've not used that mode
yet, but I
am going to sometime soon. Anyway thought I'd share my idea and my initial
apprehension (it was probably mostly in my head and again could of been from
another list altogether) about posting here. Whatever my issue was before has
long since past, and I'm here to contribute to the betterment of JtR.
Long live John.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.