Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Dec 2011 19:03:52 -0600
From: Wesley Tansey <>
To: Per Thorsheim <>
Subject: Re: Password datasets with creation rules?

Thanks. Those caveats make total sense.

I'm familiar with Matt's work. I saw his paper in CCS'10 but all of the
password datasets they analyzed are again with no significantly different
rules enforced.


On Sat, Dec 10, 2011 at 5:53 PM, Per Thorsheim <> wrote:

> > >In short: even if you do find any leaks of passwords that are
> > >clearly from environments with creation policies in place
> > >(length/complexity), you won't become much wiser without lots of
> > >additional info.
> >
> >
> > Would you mind expanding on that? I'm not quite as interested in
> > gaining summary statistics as I am in comparing the performance of a
> > model on it. I've done a pretty exhaustive search at this point
> > though, so I've kind of lost hope that I'll find one.
> >
> Well, I could ask questions like:
> - how old are the passwords?
> - Do they originate from humans, service accounts or bots?
> - have the written/implemented password policy changed, while accounts
> haven't had their passwords updated to comply with the new policy?
> - When were the accounts created, last used etc?
> Of course when your primary objective is to do performance analysis
> against such data using different models (reminds of the the works of
> Matt Weir at, the above questions may not be
> that important.
> >
> > Interesting presentation. Do you have a bibtex reference for it?
> >
> Me? bibtex? No, sorry, nothing like that available. I do my stuff out of
> personal interest, not from any official & academical position.
> Best regards,
> Per

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.