Date: Tue, 24 Aug 2010 21:28:52 -0400 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Statistics - Real World With the disscussion about "real-world" passwords going on, I thought I'd ask a question: Is there a script or method anyone knows of that we all might use to both collaborate and report on our real-world passwords? Is there something I can run that looks at the pot file, the hash file and perhaps the session log file(s), and might pull out useful information; like what rules seem to crack passwords first, and what those passwords are made of, perhaps even their CV patterns... CVVCDPS (d= digit p= punctuation s= special (like tilde)). Perhaps we could get stats on password lengths, how many were alpha only, digits only ...etc. I know someone who could write something like that in PHP, but I'm sure perl or python may be preferred. I'm just an "idea guy" and a script kiddie, so I know next to nothing on what it would take to do something like that, but I think if we could all work together and ascertain what real-world passes we see and what hash types we see them in we might improve JtR that much further! I know at my day job I see plenty of date passwords, it's when the users were forced to reset, of the helpdesk reset it for them, then they just incremented it by one or rearranged it. We dump the users histories and the patterns become clear when you look at them, you can see what their next password will be 99% certain! I also noted that our users do the l337 substitutions, but not every o=0 or every e=3, and Solars suggested rules for my question definitely helped me find passes much faster than incremental mode did/would. Even after reading and re-reading the RULES file, I have a hard time knowing how it's doing what it's doing. I know I've been hesitant to ask for assistance on the list because I was blindly running JtR and it's rules as is and not fully understanding how to take advantage of it's powerful modes and mangling abilities. Solar also scared/scares me, your program and it's abilities are awe inspiring to say the least, ahead of it's time for sure, and I think my first response or question to the list I top or bottom posted, then my email margins were over 80 characters, and another person had a "confidentiality" disclaimer... might have been another list, but somehow I felt awkward/out of place at first. Nonetheless I don't care about that now, I'm here to stay. I am going to ask my friend to help write up something in php in the hopes that it will be useful perhaps to others. Maybe Markov stat files do something like this already and it could be adapted/expanded, I've not used that mode yet, but I am going to sometime soon. Anyway thought I'd share my idea and my initial apprehension (it was probably mostly in my head and again could of been from another list altogether) about posting here. Whatever my issue was before has long since past, and I'm here to contribute to the betterment of JtR. Long live John. -rich Xinn.org
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.