Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Sep 2012 14:12:38 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Re: Passphrase Creation

On Tue, Sep 11, 2012 at 1:28 PM, Matt Weir <cweir@...edu> wrote:
> So I figured I'd outline a couple of passphrase cracking strategies
> along with some rambling thoughts:
Me too!
I've found the FreeCDDB very useful in cracking. Aritists, Song names,
Album/Track tittles etc are easily parsed, and often turn out to be a
popular saying or phrase. Idioms, sayings, proverbs, phrases
(whatever) are an interesting problem. I'm not at all happy with the
parsing I've done on the cddb, many non-ascii characters and lots of
inconsistent spelling ("dupes" can exist because of this) don't help.
What I have gleaned out of the entire Freecddb a few months ago was
very useful to me in my audits and random dumps from pastebin etc.
I've not looked in to phrases/multi-word cracking beyond some Idioms
from the FreeDictionary and the FreeCDDB. The majority of stuff out
there I find is related to the entity/company/product the passwords
come from. FBsucks isn't going to be someones hotmail pass, but HMSux
or something similar will be.
I talked about metrics for passwords a while ago, a possible anonymous
system to submit data to, perhaps derived from the .log files.
http://www.openwall.com/lists/john-users/2012/04/16/1
Also having the most effective rules somehow being tracked if someone
chose to share, and I was told that unless  --mkpc=N is used (during
building), the rule(s) reported last (before the pass is cracked)
isn't necessarily the rule that was used. I think some slow down is
incurred to be "rule accurate" in the .log.
I'd be interested in contributing data to such a project, and it may
be interesting to try to pick apart previous dumps for additional
patterns. Even if no one else is interested, I may create a(nother)
long email about how I'd engineer it, I'm a good thinkerer :)
I've been wondering if Trigraphs might be expanded to "quadgraphs"
(probably not a real thing)to better cope with longer passwords or
phrases, I should of stayed in school...Then maybe I could talk about
using "levenshtein distances" or "metaphones" as applicable ways of
researching "passphrases". Maybe I'll try to write it anyway...
-rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.