Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Sep 2015 04:21:19 -0500
From: JimF <>
Subject: Re: Anyone looked at the Ashley Madison data yet?

On 9/3/2015 3:57 AM, Frank Dittrich wrote:
> It depends on your goals. If you want to find the weakest passwords 
> over all accounts as fast as possible, you are right. If you want to 
> get a list of top passwords or top single mode rules or top input 
> words for these single mode rules (account names, first/last 
> names,city, date of birth, phone number, etc.), you should try various 
> attacks against a large enough random sample. Then you can adjust your 
> password policy, and let your users change their passwords. Frank 

I am putting in some effort right now, to try to find the top single 
rules.  I was surprised that what appears to be 2 or 3 of the top 5 
single rules (at least for this AM data) were not part of our prior 
single rules until I happened to spot them in the AM data.  I wonder how 
much other low hanging fruit is waiting to be scooped up?  But I am not 
doing the initial leg work using the AM data. That is simply too slow.  
I will use other full user table dumps (with GECOS like info), to try to 
build a quicker set of rules that get same or nearly the same end 
results, and look for patterns which are used by users to 'remember' 
their account passwords.

Yes, for the AM dump, you have to use ONLY the absolute cream of the 
crop or you will simply burn up CPU's with little to show for it. As I 
mentioned off list, using another hash that is about 200kX faster that 
the bcrypt-12 hash, and on a database about 220x the full run -single 
appears to be about 10 CPU-core hours.  That would SWAG translate into 
about 51K CPU-core YEARS to complete the AM dump against a full -single 
run of john (default settings, default rules).  But using a much more 
targeted approach, we are achieving a large percentage of the end 
results, in about 11-12 CPU-core WEEKS. That is a pretty huge reduction 
in time expectation.  Yes, the final result will be smaller, but not 
220000x smaller (which is the factor of time being reduced).

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.