Date: Tue, 21 Aug 2012 16:53:50 -0700 From: Francois Pesce <fpesce@...lys.com> To: john-users@...ts.openwall.com Subject: Re: Arstechnica Password article (feat. Matt Weir) Hi, I've got several critics: _ The way they're presenting the wordlist+rules under a pretty name like that "hybrid attack". It looks like a new thing, which it's definitely not. Rules+dictionary! Come on! Even the Morris Worm had a bruteforce dictionary attack which used to lowercase/capitalized words from user account details. No silver bullet here. _ It emphasized the Rockyou dictionary, which is interesting, but not enough on the pass phrases cracking. CDDB/Wikipedia titles/Facebook names/gutenberg project/LinkedIn names (You can download their whole base w/ a simple wget script) are now strong sources of pass phrase cracking, and I mean, actual pass phrases of more than 2 words. What about Markov? These new techniques deserve attention as well, because they lead to the conclusion that any non-random password can possibly be cracked. _ From a vulgarization point of view, the password length graphic which is reproduced at the end of the article is very dubious because it lets the users think that they'll be secured by choosing any password very long, which they are not able to humanly generate without it to be easily cracked: music title, book phrase, repetition of words, logical enumeration, etc. Still, I find that most of the article is good. My 2 cents, Francois On Tue, Aug 21, 2012 at 4:04 PM, Matt Weir <cweir@...edu> wrote: > > There are some minor inaccuracies. > > Hey Solar, I'd be very interested to hear what you felt was wrong. Dan > really impressed me with his dedication to try and get everything > right. A good example of that was his research into the origin of the > term "Rainbow tables" where not only did he read the original Oechslin > papers but he contacted a bunch of people and posted on Twitter as > well. Even with all that research since he wasn't able to find an > authoritative source he wrote: "Rainbow tables are believed to get > their name....". > > I guess more to the point, he had several people including me review a > pre-release copy so some of those mistakes may be mine as well ;p > > As far as JtR not being mentioned, I think that's more of a PR issue > we have. When people talk about password cracking to the general > public they tend to focus on Rainbow tables, GPUs, and the cloud. We > can debate how much impact all those things have, but the simple fact > is that's what people find interesting. While JtR has GPU support, > Hashcat won the CMIYC competition so they deserve the recognition they > get when it comes to mentioning a GPU cracker. If we can get better > GPU cracking performance than Hashcat people will mention JtR instead > ;p > > Matt >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.