Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120415225358.GA32495@debian>
Date: Mon, 16 Apr 2012 02:53:58 +0400
From: Aleksey Cherepanov <aleksey.4erepanov@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Finding words on which passwords are based

On Sun, Apr 15, 2012 at 11:53:29PM +0200, Frank Dittrich wrote:
> On 04/15/2012 11:10 PM, Aleksey Cherepanov wrote:
> > During the contest there were a lot of passwords based on words related to the
> > contest. Most (if not all) of that were available on the contest's site.
> > 
> > So if we know that we crack password from some company we could try to use
> > words from this company's site or even from sites related to it's subject.
> > 
> > It is a guess. Though automatic site ripper could be helpful.
> 
> As long as you'll have either passwords being built using simple
> mangling rules or many saltless hashes or fast hashes, the most commonly
> used passwords usually turn up very fast during the initial cracking
> attempts, because they are often part of larger word lists.
> Then, it is just a matter of seeing a pattern and finding more relevant
> words.
> So it often doesn't matter that much which basic words are favored,
> "pocket monsters" or something else.
> Once you have identified these favorite words, you can try more and more
> complex mangling rules on them.
> 
> 
> If you crack passwords from some company, those basic words could be
> brand names, names of cities or streets where subsidiaries of this
> company are located, and so on.
> 
> Depending on password policy, even month names (not just the English
> ones, especially for international companies) or their abbreviations
> also make good basic words.
> Since the list of month names is extremely short (especially if you
> first concentrate on those names that are used in multiple languages),
> you can use a ridiculous amount of crazy mangling rules on those
> passwords, and still be very effective cracking new passwords.
> It would probably even make sense to try appending month names or their
> abbreviations to all previously cracked passwords (start with most
> frequently used passwords), use month names as password prefix, or
> insert the month name somewhere in the middle...
> 
> And of course, first names are an all-time favorite for building passwords.
> Use a list sorted by frequency, like collected here:
> http://downloads.skullsecurity.org/passwords/facebook-firstnames-withcount.txt.bz2
> Apply more complicated mangling rules only on the top n names (the size
> of n also depends on the hash type), apply simpler rules to a larger set
> of names.
> Find out which names are frequently used in passwords, and apply more
> rules on those.
> Find out which rules are used frequently, and apply those on a larger
> list of names or on other word lists...

So we should find basic words, find their full list if possible (like with
pokemons), apply mutations on them including rules and word combination
(probably from lists of basic words of different kinds), right?

Also it could be handy to have different prepared lists. I think it is like
prepared wordlists but more general. Probably we could rip wikipedia for such
lists with good quality.

Or we could even make dynamic basic words list finder that finds full list on
the internet using human-like methods like google or our own search local
engine (filling its database is similar to preparing lists).

Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.