Date: Sun, 2 May 2021 10:29:29 -0800 From: Royce Williams <royce@...ho.org> To: john-users@...ts.openwall.com Subject: Re: source of information for John's charset files On Sun, May 2, 2021 at 9:50 AM Solar Designer <solar@...nwall.com> wrote: > (I had heard folks cracked almost the entire HIBP set by downloading and > testing against it various lists of breached passwords. After all, HIBP > is supposed to only contain passwords that were breached or leaked in > plaintext, so if Troy could compile this collection then others could as > well. However, for my test above I only used what was crackable without > usage of plaintext leaks beyond RockYou.) > Just to make sure that everyone's aware, it wasn't just a matter of acquiring the component breaches. Many other techniques were needed to fully "recover" the plains for the HIBP hashes as published. Many of them are not "real-world" passwords - they're full of nested hashes, conversion errors, HTML escapes, truncations, untrimmed separators, and many other non-password artifacts. And even after reverse-engineering those, some remain. Just something to keep in mind when measuring cracking success rates against that corpus, or trying to use that corpus as a wordlist for other attacks. For more detail, CynoSure Prime and m33x and I did some work on the first couple of HIBP releases, and wrote up the results here: https://blog.cynosureprime.com/2017/08/320-million-hashes-exposed.html Hard to believe it was four years ago. :) Royce
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.