Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Online commonly used password database
From: "Lee Brotherston" <lee.brotherston () uk easynet net>
Date: Thu, 14 Mar 2002 23:07:06 -0000

| Of course I could be barking up a well worn tree.  In that case I'd
like to
| see what work has been done in this area.

I'm sure people will disagree with me on this.  But I think that by
submitting passwords found in the wild that are not dictionary words,
other than those that are fairly standard guessable passwords (nouns,
in phrases "aybabtu, ph34r, etc", l33tspeak "p455w0rd"), you will just
end up in manually creating a list of the full range of passwords that
you would get by just running: john -i:all -stdout

Wordlists are good, but the idea is to put the most common words in
there so that these can be tried first, before your brute forcer goes
and tries all number/letter/punctuation combinations.  So essentially
it does do the monkeys with typewriters thing without you needing to
list the words.

I would say that a wordlist should be restricted to dictionary words,
nouns, really common passwords, etc then using something like John you
can get all those permutations that you want.  Infact taking john as
an example again, I think that their algorithm even does it's
permutations in a specific order to auto-generate the combinations
found in the wild most frequently first (but don't quote me on that

Anyway, enough of my babble ;)


Lee Brotherston  -  IP Security Manager, Easynet Ltd
http://www.easynet.net/         Phone: +44 20 7900 4444

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]