Reusable Security

A reader asked me through e-mail how much better John the Ripper's Markov models were compared to pure brute force or letter frequency analysis. I knew there was a reason why I put my e-mail address on the side of this blog. That's a great question, since while I'd always had more success with Markov models vs letter frequency analysis, (and certainly brute force), I had never measured the difference before. What type of researcher am I? I better fix that, so let's check it out. Test 4: Markov Models vs. Letter Frequency Analysis vs. Pure Brute Force So in this test I reused the data collected previously in Test 1 using JtR's -incremental mode targeting lowercase letters and numbers, (a-z0-9). I then used the popular tool crunch to run both the brute force and letter frequency analysis, (which I'm going to call LFA), attacks since JtR doesn't support pure brute force, (well there is a bit of a hack, but crunch is easier). For the pure brute force attack I

As promised, let's see how these Hotmail passwords would fare in a real password cracking attack. This post will cover brute force attacks, and I'll make a later post going over the effectiveness of dictionary based attacks. As always, if there is any further attacks/analysis you would like to see run against these passwords, please let me know in the comments. Test 1: John the Ripper Incremental Modes The first test I wanted to run was to use John the Ripper's brute force attack, (aka -incremental). As I mentioned in a previous post , JtR's incremental attack is very powerful and probably as close to an "industry" standard as you will find. For this test, I ran JtR's four different built-in incremental modes, (All, Alpha, Digits, Alnum), against the password set, and let each one run for one billion guesses. While in a real password cracking attack, the attacker would probably run their attacks much longer, (aka try trillions of guesses), I figured a ru

There's been a lot of discussion and analysis of this list on various other sites over the last week. That's actually why I'm so interested in it. It isn't the size. Ten thousand passwords aren't that hard to come across on the net, (as scary as that is). The nice thing though is this password list is becoming sort of a common data-set anyone can work on. This keeps us researchers honest, (If I mess up my analysis someone can easily call me on it), and it gives us a way test competing password cracking techniques in a public environment. First off, I'd like to give Google, E-Bay, and Facebook credit for how they handled this. All three sites suspended user accounts which appeared on the list, (and in the additional 20k list which I'll get to in a second), pending user verification. I don't know the amount of hoops that a user will have to go through to reactivate their accounts, but this step was necessary to protect them. Unfortunately, according to thi

As the title implies, there have been a few other people who have commented on this dataset. Link: Acunetix's Statistics From 10,000 Leaked Hotmail Passwords: Comments: At first I was a bit worried because their numbers didn't match up with mine. It wasn't until later that I realized all of their analysis was only on unique passwords. Aka if three people used the password "monkey123," they would only use that password once when generating their statistics. I disagree with some of their conclusions, but it's certainly worth a read since I can be wrong. Link: The Insecurity of Password Security Comments: The above post was written as a response to Acunetix's analysis, and I think it brings up some good points on how we need to stop blaming the user for not having some 14 character complex password for every single website they go to. There are some details that once again I don't fully agree with, (I'm much more accepting of people writing their pa

Ed note: Ok, I probably should update the title to "30k E-mail Passwords". That teaches me to take my time writing these posts ;) An updated article talking about the additional passwords floating around can be found here . All of the below only deals with the initial 10K passwords that were posted originally, since I haven't been able to find the second 20k list yet. According to Google, there's a third list as well. It's still unknown at this point if all the lists are related or not. So as some of you may have heard, a little over 10,000 hotmail e-mail account/password combinations were publicly posted online around October 1st, with the first news report about it surfacing around October 5th. First off, I'd like to give special thanks to Steve Gadd and Ilya Sokolov for alerting me about this dataset. I'm always open to any help I can get. Luckily I managed to snag a copy of the list before it was deleted from Google cache, though I've seen some

Yup, it's been a month since my last post. Believe it or not, I've actually been fairly busy, both in working on my probabilistic password cracker, and writing up several research papers. That doesn't even begin to get into the stacks of disclosed passwords I've managed to accumulate but I still need to do some analysis of. Of course it's fairly hard to complain about having too many passwords to crack/analyze. It's sort of like having too many girls ask you out. It's a good problem to have. Wow, after rereading the last couple of sentences, I really need to get my priorities in order ;) On that off-topic note though, I figured I should actually make some more of my tools available to the public rather than just boring everyone by talking about crypto. Middle Child is a tool designed to aid in targeted brute force password cracking attacks. The short summary is that I love using John the Ripper's -incremental mode which incorporates the most sophisticate