About that missing 11.1%

By -
In reference to my last post, I just want to remind everyone, (and myself), that with the phpbb.com list I still haven't cracked around 11% of the passwords. For example, I was expecting around 4-8 percent of the people to use special characters in their passwords, but so far less than one percent of the cracked passwords contain special characters, (and please note I don't count non-english letters as special characters). Now imagine if half of the remaining passwords contain a special character. That would mean 5-6 percent of the total passwords contained a special character which would match what I was expecting. Looking at the passwords I'm cracking right now, there's a very good possibility that might actually come true.

That's where plain-text lists of passwords, (such as the MySpace List, silentwhisper.net list, singles.org list, etc), are so useful since they give you a better idea of how people actually create the HARD passwords, vs getting fixated only on the passwords you can crack.

Comments

Post a Comment

Popular posts from this blog

The RockYou 32 Million Password List Top 100

By -
But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi...
Read more

Tool Deep Dive: PRINCE

By -
Image
Tool Name: PRINCE (PRobability INfinite Chained Elements) Version Reviewed: 0.12 Author: Jens Steube, (Atom from Hashcat) OS Supported: Linux, Mac, and Windows Password Crackers Supported:  It is a command line tool so it will work with any cracker that accepts input from stdin Blog Change History: 1/4/2015: Fixed some terminology after talking to Atom 1/4/2015: Removed a part in the Algorithm Design section that talked about a bug that has since been fixed in version 0.13 1/4/2015: Added an additional test with PRINCE and JtR Incremental after a dictionary attack 1/4/2015: Added a section for using PRINCE with oclHashcat Brief Description:   PRINCE is a password guess generator and can be thought of as an advanced Combinator attack . Rather than taking as input two different dictionaries and then outputting all the possible two word combinations though, PRINCE only has one input dictionary and builds "chains" of combined words. These chains can have 1 to N wo...
Read more

New Paper on Password Security Metrics

By -
Image
I'm in Chicago at the ACM CCS conference , and the paper I presented there: "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords", is now available online. Direct Download of PDF View Online Since I had the paper and presentation approved through my company's public release office I was given permission to blog about this subject while the larger issue of my blog is still going through the proper channels. Because of that I'm going to limit my next couple of posts to this subject rather than talking about the CCS conference as a whole, but let me quickly point you to the amazing paper " The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis ", written by Yinqian Zhang, Fabian Monrose and Michael Reiter. In short, they managed to obtain a great dataset, their techniques were innovative and sound, and there's some really good analysis on how effective password expiration poli...
Read more