Date: Sat, 10 Dec 2011 23:33:00 +0100 From: Per Thorsheim <per@...rsheim.net> To: john-users@...ts.openwall.com, tansey@...utexas.edu Subject: Re: Password datasets with creation rules? On Fri, 2011-12-09 at 18:21 -0600, Wesley Tansey wrote: > Does anyone happen to know of any decent-sized, real-world leaked/attacked > password datasets that are in the wild and employed password creation rules > such as "must contain a number" or "minimum 8 characters"? Plaintext, > hashed, or hashed/salted are all fine as long as I can make a guess against > each entry and query for its existence in the database. I'm looking for > full database releases, not just the cracked ones. > All of the datasets I've found that have decent sample sizes (rockyou, > gawker, phpbb, battlefield heroes beta) seem to have no creation rules > enforced. > > Wesley I'm tempted to say "It's not that easy". Well, it's not that easy. Some of the leaks available may have had creation rules, either on "paper" or even technically implemented. However they may have changed over time, strengthened or weakened... who knows? At least to me, from pentesting corporate environments, it is very common to find written policies that are not technically implemented. Do the password cracking, and you'll find passwords that are not in compliance with any of the two. This could be due to lazy sysadmins, old & unused accounts, frequent changes in password policies etc. In short: even if you do find any leaks of passwords that are clearly from environments with creation policies in place (length/complexity), you won't become much wiser without lots of additional info. My presentation at Passwords^11 has some statistics based on environments where I've had almost complete control of the corporate environments. You can find it here: http://ftp.ii.uib.no/pub/passwords11/presentations/ (PDF, 1.1Mb) "The Exception" is the only environment I've ever seen where the average passwords where "much" longer than the minimum required (length 3, no complexity), see page 8. In environments where minimum length is 7+, you'll typically see 50% of all acounts having passwords at the minimum length. Pages 13 & 15, based on another data set, also shows of some very common patterns from corporate environments in areas of per-position entropy (total number of characters used in each position, and the most common password formats found in environments with Windows default complexity parameters (3 out of 4 character Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.