Monday, April 5, 2010

State of the Blog: April Edition

*Comic courtesy of

Well, it looks like after three years of work, I did it. I'm still putting some last minute touches on my dissertation but once that's finalized I'll post a copy. The crazy thing is that after going through all of that, I'm actually more motivated to do research.

So that leads us to this blog. Don't worry, it's not going away. In fact one of my prerequisites for any new job I get is that I need to be allowed to keep on updating here. As far as posts go, I'm going to be shifting away from brute force attacks and start talking about dictionary attacks instead. I know, I've maintained this blog for over a year and I'm only getting to that now...

Let me explain:

1) I'm lazy

2) My main area of study has been designing new ways to represent how people create passwords using probabilistic context free grammars. At it's heart this approach is an improvement to standard dictionary based attacks, though I'm currently expanding it to incorporate brute force attacks as well. What it really is though is a fundamentally different way of looking at a password cracking attack compared to traditional rule based methods. This has lead to a bit of a problem when talking about traditional dictionary attacks though. Creating a new 10,000 rule John the Ripper config file just doesn't hold that much appeal to me -ed note: yes it does. Ok, what I should say is that it's hard for me to put my full heart into that when all my experiences using probabilistic grammars have been so superior. The issue though is that I've been struggling with a way to convey why they're useful beyond the fact that they can crack more passwords with fewer guesses than traditional methods. Hmm, actually that might work...

Probabilistic Context Free Grammars: More passwords cracked - Fewer Guesses

You can see an older version of it here, though currently that's about a year out of date. Refer to point #1 above. What I really need to do is clean up a newer version and post it online. Right now it's full of debugging code, the user interface is almost non-existent, and the case-mangling algorithm looks like it was written by the lead developer of Windows ME. But it does crack passwords.

I expect the next couple posts will probably follow along the lines of:
  1. A survey of existing dictionary based attacks available in current password cracking tools
  2. Optimizing JtR's single mode rules for longer password cracking sessions
  3. Using Edit Distance to reverse mangle passwords
  4. The limits of rule based attacks - Alt title: 2 million rule config files are a real pain
  5. Releasing a new version of my JtR config generator - Only one year after I said I would. Refer to point #1 above
  6. Probabilistic password cracking
That doesn't include all of the other topics I might post about depending on my mood. For example, I really tempted to do a detailed write-up of all the cloud based password cracking options available. Interesting times.


Marc Ruef said...


Very nice article! I like your practical approach of determinating the efficiency of different rule-sets. Keep up the great work!



Matt Weir said...

Hey thanks!