Date: Wed, 25 Aug 2010 08:49:16 -0400 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Re: Statistics - Real World On Wed, Aug 25, 2010 at 7:16 AM, Simon Marechal <simon@...quise.net> wrote: > My "real world" passwords were usually REALLY weak. In organisations > where stronger policies were set, all users tended to share the same > passwords. Even worse, when a default password was provided and users > were invited to change it at first login, they usually selected a > password that looked alike. When there is an expiration policy, they > just appended numbers. The only hard passwords were for admin passwords, > with the exception of application passwords (backup/backup for the win). I agree, lots of my users passwords fall quite fast, but the ones that don't are something else. I've found the Facebook username list, and names from the US Census' have helped my dictionary more than thought they would, I'm going to compile them and provide a link on my website. Simply appending and prepending digits from 1-4 places (1234password or password1234) also works a little too well. It's not just popular dates or years but rather all over the place. I'd like to see that rule added to JtR's default as well as some of my "1337" rules :) Even if not added into JtR I think, from my experience outside my day job, they hold true for other clients environments. And like you said, users often increment/decrement 1-2 digits or letters in some cases to the pass that they were originally given or recently given. Granted most of my audits are against LM/NTLM. But with Vista, 2008 and Win7 not storing them by default anymore, (thank god) I think JtR might have to step up from the 8 char limit but that's a design decision for Solar. I've managed to up the limits for digit only build of JtR but I don't know what I'm doing well enough to do it for ALL char builds or even Alpha-Num. -rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.