Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 16 Apr 2012 02:53:58 +0400
From: Aleksey Cherepanov <aleksey.4erepanov@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Finding words on which passwords are based

On Sun, Apr 15, 2012 at 11:53:29PM +0200, Frank Dittrich wrote:
> On 04/15/2012 11:10 PM, Aleksey Cherepanov wrote:
> > During the contest there were a lot of passwords based on words related to the
> > contest. Most (if not all) of that were available on the contest's site.
> > 
> > So if we know that we crack password from some company we could try to use
> > words from this company's site or even from sites related to it's subject.
> > 
> > It is a guess. Though automatic site ripper could be helpful.
> 
> As long as you'll have either passwords being built using simple
> mangling rules or many saltless hashes or fast hashes, the most commonly
> used passwords usually turn up very fast during the initial cracking
> attempts, because they are often part of larger word lists.
> Then, it is just a matter of seeing a pattern and finding more relevant
> words.
> So it often doesn't matter that much which basic words are favored,
> "pocket monsters" or something else.
> Once you have identified these favorite words, you can try more and more
> complex mangling rules on them.
> 
> 
> If you crack passwords from some company, those basic words could be
> brand names, names of cities or streets where subsidiaries of this
> company are located, and so on.
> 
> Depending on password policy, even month names (not just the English
> ones, especially for international companies) or their abbreviations
> also make good basic words.
> Since the list of month names is extremely short (especially if you
> first concentrate on those names that are used in multiple languages),
> you can use a ridiculous amount of crazy mangling rules on those
> passwords, and still be very effective cracking new passwords.
> It would probably even make sense to try appending month names or their
> abbreviations to all previously cracked passwords (start with most
> frequently used passwords), use month names as password prefix, or
> insert the month name somewhere in the middle...
> 
> And of course, first names are an all-time favorite for building passwords.
> Use a list sorted by frequency, like collected here:
> http://downloads.skullsecurity.org/passwords/facebook-firstnames-withcount.txt.bz2
> Apply more complicated mangling rules only on the top n names (the size
> of n also depends on the hash type), apply simpler rules to a larger set
> of names.
> Find out which names are frequently used in passwords, and apply more
> rules on those.
> Find out which rules are used frequently, and apply those on a larger
> list of names or on other word lists...

So we should find basic words, find their full list if possible (like with
pokemons), apply mutations on them including rules and word combination
(probably from lists of basic words of different kinds), right?

Also it could be handy to have different prepared lists. I think it is like
prepared wordlists but more general. Probably we could rip wikipedia for such
lists with good quality.

Or we could even make dynamic basic words list finder that finds full list on
the internet using human-like methods like google or our own search local
engine (filling its database is similar to preparing lists).

Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.