Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Aug 2012 16:53:50 -0700
From: Francois Pesce <>
Subject: Re: Arstechnica Password article (feat. Matt Weir)


I've got several critics:
_ The way they're presenting the wordlist+rules under a pretty name like
that "hybrid attack". It looks like a new thing, which it's definitely not.
Rules+dictionary! Come on! Even the Morris Worm had a bruteforce dictionary
attack which used to lowercase/capitalized words from user account details.
No silver bullet here.

_ It emphasized the Rockyou dictionary, which is interesting, but not
enough on the pass phrases cracking. CDDB/Wikipedia titles/Facebook
names/gutenberg project/LinkedIn names (You can download their whole base
w/ a simple wget script) are now strong sources of pass phrase cracking,
and I mean, actual pass phrases of more than 2 words. What about Markov?
These new techniques deserve attention as well, because they lead to the
conclusion that any non-random password can possibly be cracked.

_ From a vulgarization point of view,  the password length graphic which is
reproduced at the end of the article is very dubious because it lets the
users think that they'll be secured by choosing any password very long,
which they are not able to humanly generate without it to be easily
cracked: music title, book phrase, repetition of words, logical
enumeration, etc.

Still, I find that most of the article is good.

My 2 cents,


On Tue, Aug 21, 2012 at 4:04 PM, Matt Weir <> wrote:

> > There are some minor inaccuracies.
> Hey Solar, I'd be very interested to hear what you felt was wrong. Dan
> really impressed me with his dedication to try and get everything
> right. A good example of that was his research into the origin of the
> term "Rainbow tables" where not only did he read the original Oechslin
> papers but he contacted a bunch of people and posted on Twitter as
> well. Even with all that research since he wasn't able to find an
> authoritative source he wrote: "Rainbow tables are believed to get
> their name....".
> I guess more to the point, he had several people including me review a
> pre-release copy so some of those mistakes may be mine as well ;p
> As far as JtR not being mentioned, I think that's more of a PR issue
> we have. When people talk about password cracking to the general
> public they tend to focus on Rainbow tables, GPUs, and the cloud. We
> can debate how much impact all those things have, but the simple fact
> is that's what people find interesting. While JtR has GPU support,
> Hashcat won the CMIYC competition so they deserve the recognition they
> get when it comes to mentioning a GPU cracker. If we can get better
> GPU cracking performance than Hashcat people will mention JtR instead
> ;p
> Matt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.