Date: Wed, 26 Aug 2015 06:43:27 -0400 From: KZug <kzug10@...il.com> To: john-users@...ts.openwall.com Subject: Re: Anyone looked at the Ashley Madison data yet? (some) Replies in line. edited and compiled for length > First, obviously you're doing this for research (and not e.g. for having > anyone's account anywhere compromised to any greater extent). What kind > of research is that? What would you like to find out, and why? — Let me be very clear, this is ABSOLUTELY NOT to Pastebin the results, or to add injury to insult to AM’s clients: They have already been victimized twice, no need to add other layers. The only ones I would be willing to share results with, besides participants, are *bona fide* academics, JTR Dev team, or proven Sec researchers, i.e. Mr. Matt W. et al. I don’t have a “n0m d3 9uerre” and don’t intend to get one. Freeriders and “I can has da list pleeez” are going to be disappointed. > Is this to get as many passwords cracked as you can, and then state this > figure - password analysis, attempting to find, if any: new trends in passwords, new or more efficent rules, or compile better WL > e.g., "0.1% of the bcrypt hashes in the dump cracked in 7 days" > (totally arbitrary figures, but these feel realistic to me based on what > was said so far)? So that e.g. academic publications on password security > have some figure to refer to for the case of very slow salted hashes > without a password policy — Nothing jaw dropping here, the usual “No Password Policy” leads to a plethora of “123456” and their brothers. Moore’s law does not apply to human brain. > and with related information available for > each account in a multi-million password hash dump (these are the factors > that I think are primarily determining the success rate). If so, you > may accept contributions from about anyone. > On Aug 26, 2015, at 01:49, Solar Designer <solar@...nwall.com> wrote: > > Actually, for a likely top 100 list from a 100k sub-list, you don't need > a community effort. This can be done by one person using one machine in > a few days. Just take a few hundred top passwords from existing such > lists, add four lines: > > ashley > madison > Ashley > Madison — already done few days ago. :) Thanks. @shley, ashl3y, a5hley, @shl3y, etc,etc > and run it until completion against the 100k sample (it's crucial to > "shuf" the original list before you extract this sample). Out of the > four lines I suggested adding, I guess the all-lowercase ones are > somewhat likely to appear in top 100. The capitalized ones probably > aren't popular enough, but are worth testing as well (can't rule out > them being in top 100 without testing). > > To test 300 candidate passwords against a 100k sample at 50 c/s (one > modern quad-core CPU), you need: > > 300 * 100000 / 50 / 86400 = ~7 days I’ll then need 30 days :\ or to figure out that abort trap 6 error @ GWS 32. Bis repetita… > 300 is probably … (edited) … enough in > that sample to potentially be in top 100 then tested against the 100k > sample. Then it's just a day more. > > So it’s unclear if a community effort is justified. — I would not bother if it wasn’t that slow. A lot of people are probably testing the same rules against the same hashes over and over again. It’s about efficiency. > For a top 100 list, > if desired, someone just needs to do it right. And doing it right is > more important than testing a larger candidate password list against a > larger sample. — Understood and Agreed. — Thank you for answers. > > Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.