Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 25 Aug 2010 08:49:16 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Statistics - Real World

On Wed, Aug 25, 2010 at 7:16 AM, Simon Marechal <simon@...quise.net> wrote:
> My "real world" passwords were usually REALLY weak. In organisations
> where stronger policies were set, all users tended to share the same
> passwords. Even worse, when a default password was provided and users
> were invited to change it at first login, they usually selected a
> password that looked alike. When there is an expiration policy, they
> just appended numbers. The only hard passwords were for admin passwords,
> with the exception of application passwords (backup/backup for the win).

I agree, lots of my users passwords fall quite fast, but the ones that don't are
something else. I've found the Facebook username list, and names from the
US Census' have helped my dictionary more than thought they would, I'm
going to compile them and provide a link on my website. Simply appending and
prepending digits from 1-4 places (1234password or password1234) also works
a little too well. It's not just popular dates or years but rather all
over the place.
I'd like to see that rule added to JtR's default as well as some of my "1337"
rules :) Even if not added into JtR I think, from my experience outside my day
job, they hold true for other clients environments. And like you said, users
often increment/decrement 1-2 digits or letters in some cases to the pass that
they were originally given or recently given. Granted most of my audits are
against LM/NTLM. But with Vista, 2008 and Win7 not storing them by default
anymore, (thank god) I think JtR might have to step up from the 8 char limit
but that's a design decision for Solar. I've managed to up the limits for digit
only build of JtR but I don't know what I'm doing well enough to do it for ALL
char builds or even Alpha-Num.
-rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.