Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 2 May 2021 10:29:29 -0800
From: Royce Williams <>
Subject: Re: source of information for John's charset files

On Sun, May 2, 2021 at 9:50 AM Solar Designer <> wrote:

> (I had heard folks cracked almost the entire HIBP set by downloading and
> testing against it various lists of breached passwords.  After all, HIBP
> is supposed to only contain passwords that were breached or leaked in
> plaintext, so if Troy could compile this collection then others could as
> well.  However, for my test above I only used what was crackable without
> usage of plaintext leaks beyond RockYou.)

Just to make sure that everyone's aware, it wasn't just a matter of
acquiring the component breaches. Many other techniques were needed to
fully "recover" the plains for the HIBP hashes as published. Many of them
are not "real-world" passwords - they're full of nested hashes, conversion
errors, HTML escapes, truncations, untrimmed separators, and many other
non-password artifacts. And even after reverse-engineering those, some
remain. Just something to keep in mind when measuring cracking success
rates against that corpus, or trying to use that corpus as a wordlist for
other attacks.

For more detail, CynoSure Prime and m33x and I did some work on the first
couple of HIBP releases, and wrote up the results here:

Hard to believe it was four years ago. :)


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.