Date: Thu, 3 Sep 2015 04:21:19 -0500 From: JimF <jfoug@....net> To: john-users@...ts.openwall.com Subject: Re: Anyone looked at the Ashley Madison data yet? On 9/3/2015 3:57 AM, Frank Dittrich wrote: > It depends on your goals. If you want to find the weakest passwords > over all accounts as fast as possible, you are right. If you want to > get a list of top passwords or top single mode rules or top input > words for these single mode rules (account names, first/last > names,city, date of birth, phone number, etc.), you should try various > attacks against a large enough random sample. Then you can adjust your > password policy, and let your users change their passwords. Frank I am putting in some effort right now, to try to find the top single rules. I was surprised that what appears to be 2 or 3 of the top 5 single rules (at least for this AM data) were not part of our prior single rules until I happened to spot them in the AM data. I wonder how much other low hanging fruit is waiting to be scooped up? But I am not doing the initial leg work using the AM data. That is simply too slow. I will use other full user table dumps (with GECOS like info), to try to build a quicker set of rules that get same or nearly the same end results, and look for patterns which are used by users to 'remember' their account passwords. Yes, for the AM dump, you have to use ONLY the absolute cream of the crop or you will simply burn up CPU's with little to show for it. As I mentioned off list, using another hash that is about 200kX faster that the bcrypt-12 hash, and on a database about 220x the full run -single appears to be about 10 CPU-core hours. That would SWAG translate into about 51K CPU-core YEARS to complete the AM dump against a full -single run of john (default settings, default rules). But using a much more targeted approach, we are achieving a large percentage of the end results, in about 11-12 CPU-core WEEKS. That is a pretty huge reduction in time expectation. Yes, the final result will be smaller, but not 220000x smaller (which is the factor of time being reduced).
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.