Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Sep 2015 10:57:55 +0200
From: Frank Dittrich <>
Subject: Re: Anyone looked at the Ashley Madison data yet?

On 09/03/2015 06:40 AM, JimF wrote:
> Thank you for the link. There are several on this list which have been
> working this
> data in a more gray matter manner, and will be pushing the 1 million
> cracked hashes
> in the very near future.  My goal is to get to 10% (3.6 million), then
> 15%, then 20%.
> I am pretty sure 10% is achievable by a single person with a couple
> decent desktop
> computers (no GPU needed).  15% 'may' be achievable, but 20% is likely
> a hard target
> to obtain, simply due to the slowness of the hashes overall, without
> teaming up to
> throw more serious hardware at the task.

Yes, the first 1 million is easy.

After addressing issue, my i5-4570
CPU @ 3.20GHz quad core CPU can do just above 43 c/s instead of only 30 c/s.
While just trying the top 3 passwords against all hashes will give you
about 0.5 million cracks, I found a way to get 1.3 million cracks in 30
days (I get more than 1880 new cracks per hour, on input files created
after randomizing the sequence of accounts), by "combining" single mode
and top passwords using an ugly single.c source code hack and
SingleWordsPairMax = 0
SingleRetestGuessed = N (or a single.c modification with the same effect
on an older git commit).

So, with just 3 guesses per account, you can crack about 3.7% of the

But with the easiest password cracked first, it well get harder and
harder very fast.

> The words you list are pretty much what I have seen. By far 123456
> 123456789
> then 12345 and password.  The top 3 or 4 will crack about 3% of the
> user accounts.
> I have about a hundred thousand of just 123456 and 123456789

I think, overall 12345 should be (a little) more frequent than 123456789.

> By far the best method of attack on a wordlist that is this extensive
> is to use a sniper
> method, that targets each specific hash using only information known
> about that
> hash (such as the user id, email, zip code, phone number, etc). That
> type of pinpoint
> accurate attack will crack a very surprising number.  Then a 2nd
> method still is very
> targeted, is to search using ONLY the absolute best words possible
> against all hashes,
> just a minimal amount of words at a time.  The minimal amount is the
> minimum that
> the software can test at one time using the current CPU (or GPU).
> Hopefully that number
> can be small (such as 3).  3 words tested against the entire set of
> hashes is about
> 500 hours (at 60/s) or about 20 days.
> Shotgun searching, just letting a cracker blindly go on is really
> going to spend a lot of
> time heating up your room ;)  without a lot of ROI    I started
> running the top 150 words
> from the rocku dump (ordered by number of occurrences on rock-u),
> taking out some
> of the rock-u words.  It quickly became apparent that after the first
> few words, the
> returns drop off very quickly.  One thing I did see is that names on
> rock-u were much
> more likely to be used, but on AM there are names used, but much less
> frequently.
> Also, the word 'password' was pretty popular for very early user
> accounts on AM,
> but in the more recent user accounts it is becoming less and less
> likely to be seen.

It depends on your goals.
If you want to find the weakest passwords over all accounts as fast as
possible, you are right.

If you want to get a list of top passwords or top single mode rules or
top input words for these single mode rules (account names, first/last
names,city, date of birth, phone number, etc.), you should try various
attacks against a large enough random sample.
Then you can adjust your password policy, and let your users change
their passwords.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.