Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 3 Aug 2012 15:56:03 -0400
From: Matt Weir <>
Subject: Re: any plans to support superlong passwords?

Another way to put it, is that Korelogic wasn't trying to hinder tools
or teams. They are just trying to spur the development of better


On Fri, Aug 3, 2012 at 3:54 PM, Matt Weir <> wrote:
> It's my understanding that Korelogic's focus on passphrases was to
> spur the development of passphrase cracking tools/techniques. Aka
> passphrases may not be common, but it's nice to have tools that can
> target them. If we had good passphrase cracking tools right now, the
> number of passphrases in the challenge wouldn't have been a problem ;p
> For example, one outcome of this contest might be that atom modifies
> oclhashcat so it can target passwords longer than 15 characters ;p
> Matt
> On Fri, Aug 3, 2012 at 2:57 PM, Brad Tilley <> wrote:
>> Hi Stephen,
>> <snip>
>>> which basically points an average of 8-9 characters (again 1.1 million
>> could all be greater than 16 characters and I don't know it yet... give
>> me 2 years and I can give a better estimate).
>>> Looking though at the plain text ones (eg rockyou and the various other
>> plaintext ones..) 8 is the average size of passwords there. Usually in
>> the form of the same ones we have been finding for the last 20 years.
>> I agree. Humans being humans, we don't tend to use long passwords unless
>> we are forced to do so. All of the studies I've seen and research I've
>> done point to between 6 to 9 characters as being the average password
>> length on most systems.
>> Sure, there are longer passwords (no one disputes that), 'Password123456!'
>> for example, but 21 to 22 characters as an average? That's simply not a
>> realistic average anywhere on this planet. Perhaps it is for high-security
>> military systems and as we've all seen it certainly is for contrived
>> passwords in the KL contest, but not for a real passwords on real sites
>> intended to be consumed by the masses. It just isn't so.
>> I assume KL devised such an unrealistic average length as an attempt to
>> hinder the GPU teams and rainbow table attacks. It didn’t seem to work.
>> Brad

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.