Date: Sun, 19 Jun 2016 21:21:03 +0300 From: Solar Designer <solar@...nwall.com> To: passwords@...ts.openwall.com Subject: Re: Am I Overlooking any Practical Attacks? On Sun, Jun 19, 2016 at 01:33:55PM -0400, Scott Arciszewski wrote: > I was referring to this post by Mark Burnett from 2011 and the subsequent > lists released: https://xato.net/10-000-top-passwords-6d6380716fe0 > > I also wasn't aware that he released a follow-up with 10,000,000. :) There are some inconsistencies in Mark's data (suggesting data processing errors on his part), as I pointed out in this Twitter thread: https://mobile.twitter.com/m8urnett/status/558073405497671684 One of the easiest to spot is that his "10k most common" and "10k most common with frequency" differ by 5 passwords, but that's minor. What's worse is that Mark's 2011 analysis greatly overestimated the percentage of passwords that fall into top 10k (and was also inconsistent about this percentage). Re-reading this Twitter thread now, it looks like it was ~99% in 2011 vs. ~24% in 2014 - clearly not an actual change, but just (major) data processing errors or/and biases. With inconsistencies like this, I wouldn't rely on the data for anything serious, and certainly not as the only source. That said, I just ran a test of passwdqc on Mark's top 10k list above (using my copy I downloaded during that discussion in 2015, but I assume it hasn't changed): [solar@...l passwdqc-1.3.0]$ time while read -r pw; do echo $pw | LD_LIBRARY_PATH=. ./pwqcheck -1 > /dev/null && echo $pw; done < ../xato/'10k most common.txt' films+pic+galeries real 0m6.538s user 0m1.843s sys 0m8.302s So this list somehow contains the passphrase films+pic+galeries. I think it's fine that it meets passwdqc's default policy. Is this also the one that passes Zxcvbn? Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.