Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Aug 2012 12:40:17 -0600
From: Stephen John Smoogen <smooge@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: any plans to support superlong passwords?

On 3 August 2012 12:23, Frank Dittrich <frank_dittrich@...mail.com> wrote:
> On 08/03/2012 08:07 PM, Aleksey Cherepanov wrote:
>> Team Hashcat said: "... recent breaches. Statistically the average
>> password length is eight (8) characters."
>> (https://contest-2012.korelogic.com/team_hashcat.html )
>
> That is he average length of hashes they cracked.
> Did they mention what percentage of hashes they cracked?
> May be the longer passwords remained uncracked.
> So this could also be some kind of "self-fulfilling prophecy.
> Because most passwords had length 8 in the past, the focus on passwords
> of length 8, and (suprise!) they find passwords of length 8.
>
> Frank

OK from looking at what I have from the linkedin.pot

Overall (with 4106655 out of 6143150 cracked in my tests)
1378901 8
 723286 9
 585288 7
 569405 6
 452748 10
 202813 11
 105334 12
  45508 13
  23400 14
  10729 15
   8055 16
[all entries below that are greater than 16 characters]
There are 2 million left, but I have exhausted less than 1% of the 8
character lenths and only 80% of 7 characters (my systems are very
slow that are doing this).

Looking at what has been published about the Eharmony etc match those
general estimates in length]

Concentrating on the part of the linkedin parts that were not previous
hacked (eg not the first 6 digits 0'd out) I had been able to find
1004733 out of 2621970

 354342 8
 246332 9
 158609 10
  79884 11
  58520 7
  44160 12
  22182 13
  15334 6
  12519 14
   6435 15
   5550 16

which basically points an average of 8-9 characters (again 1.1 million
could all be greater than 16 characters and I don't know it yet...
give me 2 years and I can give a better estimate).

Looking though at the plain text ones (eg rockyou and the various
other plaintext ones..) 8 is the average size of passwords there.
Usually in the form of the same ones we have been finding for the last
20 years.

-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.