Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Aug 2015 06:43:27 -0400
From: KZug <>
Subject: Re: Anyone looked at the Ashley Madison data yet?

(some) Replies in line. 
edited and compiled for length 

> First, obviously you're doing this for research (and not e.g. for having
> anyone's account anywhere compromised to any greater extent).  What kind
> of research is that?  What would you like to find out, and why?
  — Let me be very clear, this is ABSOLUTELY NOT to Pastebin the results, or to add injury to insult to AM’s clients: They have already been victimized twice, no need to add other layers. 
  The only ones I would be willing to share results with, besides participants, are *bona fide* academics, JTR Dev team, or proven Sec researchers, i.e. Mr. Matt W. et al. 
  I don’t have a “n0m d3 9uerre” and don’t intend to get one. Freeriders and “I can has da list pleeez”  are going to be disappointed.  
> Is this to get as many passwords cracked as you can, and then state this
> figure -
  password analysis, attempting to find, if any: new trends in passwords, new or more efficent rules, or compile better WL 
> e.g., "0.1% of the bcrypt hashes in the dump cracked in 7 days"
> (totally arbitrary figures, but these feel realistic to me based on what
> was said so far)?  So that e.g. academic publications on password security
> have some figure to refer to for the case of very slow salted hashes
> without a password policy
  — Nothing jaw dropping here, the usual “No Password Policy” leads to a plethora of “123456” and their brothers. Moore’s law does not apply to human brain. 
> and with related information available for
> each account in a multi-million password hash dump (these are the factors
> that I think are primarily determining the success rate).  If so, you
> may accept contributions from about anyone.

> On Aug 26, 2015, at 01:49, Solar Designer <> wrote:

> Actually, for a likely top 100 list from a 100k sub-list, you don't need
> a community effort.  This can be done by one person using one machine in
> a few days.  Just take a few hundred top passwords from existing such
> lists, add four lines:
> ashley
> madison
> Ashley
> Madison

 — already done few days ago. :)  Thanks. 
 @shley, ashl3y, a5hley, @shl3y, etc,etc 

> and run it until completion against the 100k sample (it's crucial to
> "shuf" the original list before you extract this sample).  Out of the
> four lines I suggested adding, I guess the all-lowercase ones are
> somewhat likely to appear in top 100.  The capitalized ones probably
> aren't popular enough, but are worth testing as well (can't rule out
> them being in top 100 without testing).
> To test 300 candidate passwords against a 100k sample at 50 c/s (one
> modern quad-core CPU), you need:
> 300 * 100000 / 50 / 86400 = ~7 days

  I’ll then need 30 days :\
  or to figure out that abort trap 6 error @ GWS 32.  Bis repetita…  

> 300 is probably … (edited) … enough in
> that sample to potentially be in top 100 then tested against the 100k
> sample.  Then it's just a day more.
> So it’s unclear if a community effort is justified.
 —  I would not bother if it wasn’t that slow. A lot of people are probably testing the same rules against the same hashes over and over again.  It’s about efficiency.  

>  For a top 100 list,
> if desired, someone just needs to do it right.  And doing it right is
> more important than testing a larger candidate password list against a
> larger sample.

 —  Understood and Agreed. 

— Thank you for answers.  

> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.