Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Dec 2011 23:33:00 +0100
From: Per Thorsheim <>
Subject: Re: Password datasets with creation rules?

On Fri, 2011-12-09 at 18:21 -0600, Wesley Tansey wrote:
> Does anyone happen to know of any decent-sized, real-world leaked/attacked
> password datasets that are in the wild and employed password creation rules
> such as "must contain a number" or "minimum 8 characters"? Plaintext,
> hashed, or hashed/salted are all fine as long as I can make a guess against
> each entry and query for its existence in the database. I'm looking for
> full database releases, not just the cracked ones.

> All of the datasets I've found that have decent sample sizes (rockyou,
> gawker, phpbb, battlefield heroes beta) seem to have no creation rules
> enforced.
> Wesley

I'm tempted to say "It's not that easy". Well, it's not that easy.

Some of the leaks available may have had creation rules, either on
"paper" or even technically implemented. However they may have changed
over time, strengthened or weakened... who knows?

At least to me, from pentesting corporate environments, it is very
common to find written policies that are not technically implemented. Do
the password cracking, and you'll find passwords that are not in
compliance with any of the two. This could be due to lazy sysadmins, old
& unused accounts, frequent changes in password policies etc.

In short: even if you do find any leaks of passwords that are clearly
from environments with creation policies in place (length/complexity),
you won't become much wiser without lots of additional info.

My presentation at Passwords^11 has some statistics based on
environments where I've had almost complete control of the corporate
environments. You can find it here: (PDF, 1.1Mb)

"The Exception" is the only environment I've ever seen where the average
passwords where "much" longer than the minimum required (length 3, no
complexity), see page 8. In environments where minimum length is 7+,
you'll typically see 50% of all acounts having passwords at the minimum

Pages 13 & 15, based on another data set, also shows of some very common
patterns from corporate environments in areas of per-position entropy
(total number of characters used in each position, and the most common
password formats found in environments with Windows default complexity
parameters (3 out of 4 character

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.