Date: Tue, 18 Aug 2020 08:21:12 -0800 From: Royce Williams <royce@...ho.org> To: john-users@...ts.openwall.com Subject: Re: any experience with hasheshorg2019 wordlist? Hello, Albert - On Tue, Aug 18, 2020 at 7:17 AM Albert Veli <albert.veli@...il.com> wrote: > Hello, I have not used that list. But the site https://hashes.org/ had > many leaks of live hashes and I suspect the wordlist you mention is a > collection of cracked hashes from the live ones. As you can see on the > site it had a failure (hard drive?) and is currently down. > >From my read of s3's blog posts, the previous server ended up having bad RAM, which was slowly corrupting the Cassandra database. The database is being reconstructed on new hardware, which takes quite a bit of time (and has to be interleaved with other activities, as time allows). A static version of the site, including all of the found lists, is currently available at temp.hashes.org. > Typically if you want statistics it is better to use rockyou since it > has a big collection of all real passwords, while the hashes.org only > has cracked ones and is missing maybe 10% of the hardest passwords. > That way the statistics gets skewed and only reflect the weakest 90% > of the passwords. > I'll have to disagree with you there. :) The hashes.org founds contain 100% of RockYou - as well as 100% of other similar plaintext leaks (such as the more recent LiveJournal leak) - due to their presence in other lists (such as the Have I Been Pwned corpus). Since these were cracked using those original plaintexts, they are fully represented. The leaks on hashes.org are from a variety of sources, platforms, and time periods - and therefore a variety of demographics / cultures / countries. Also, the crack rate for fast hashes is much higher - on the order of 99% and up for many leaks based on fast hashes. And the success rate is constantly going up, as new leaks are made public elsewhere and are used as raw material to attack old lists. For these reasons, the superset of all hashes.org "founds" is one of the most efficient broad-spectrum attack wordlists (that is publicly and freely available) for real human passwords. (The hashes.org "junk" founds are those founds that are less likely to be human-generated passwords, but are also very useful as a later pass, for cleaning up non-human-generated founds in target hashes.) Royce > On Tue, Aug 18, 2020 at 2:18 PM Johny Krekan <krekan@...nykrekan.com> > wrote: > > > > Hello, after some time I went to weakpass.com and I have found > > hashesorg2019, which seems quite new and big. Do you have any experience > > with this wordlist (success in finding passwords). Do you think that it > > could contain many new passwords or is it recompilation of old ones? >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.