Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <32FD7DBC-366D-4C54-AF5E-14AC2A512438@gmail.com>
Date: Wed, 26 Aug 2015 06:43:27 -0400
From: KZug <kzug10@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Anyone looked at the Ashley Madison data yet?

(some) Replies in line. 
edited and compiled for length 

> First, obviously you're doing this for research (and not e.g. for having
> anyone's account anywhere compromised to any greater extent).  What kind
> of research is that?  What would you like to find out, and why?
  
  — Let me be very clear, this is ABSOLUTELY NOT to Pastebin the results, or to add injury to insult to AM’s clients: They have already been victimized twice, no need to add other layers. 
  The only ones I would be willing to share results with, besides participants, are *bona fide* academics, JTR Dev team, or proven Sec researchers, i.e. Mr. Matt W. et al. 
  I don’t have a “n0m d3 9uerre” and don’t intend to get one. Freeriders and “I can has da list pleeez”  are going to be disappointed.  
  
  
> Is this to get as many passwords cracked as you can, and then state this
> figure -
  password analysis, attempting to find, if any: new trends in passwords, new or more efficent rules, or compile better WL 
> e.g., "0.1% of the bcrypt hashes in the dump cracked in 7 days"
> (totally arbitrary figures, but these feel realistic to me based on what
> was said so far)?  So that e.g. academic publications on password security
> have some figure to refer to for the case of very slow salted hashes
> without a password policy
  — Nothing jaw dropping here, the usual “No Password Policy” leads to a plethora of “123456” and their brothers. Moore’s law does not apply to human brain. 
> and with related information available for
> each account in a multi-million password hash dump (these are the factors
> that I think are primarily determining the success rate).  If so, you
> may accept contributions from about anyone.

> On Aug 26, 2015, at 01:49, Solar Designer <solar@...nwall.com> wrote:

> 
> Actually, for a likely top 100 list from a 100k sub-list, you don't need
> a community effort.  This can be done by one person using one machine in
> a few days.  Just take a few hundred top passwords from existing such
> lists, add four lines:
> 
> ashley
> madison
> Ashley
> Madison

 — already done few days ago. :)  Thanks. 
 @shley, ashl3y, a5hley, @shl3y, etc,etc 


> and run it until completion against the 100k sample (it's crucial to
> "shuf" the original list before you extract this sample).  Out of the
> four lines I suggested adding, I guess the all-lowercase ones are
> somewhat likely to appear in top 100.  The capitalized ones probably
> aren't popular enough, but are worth testing as well (can't rule out
> them being in top 100 without testing).
> 
> To test 300 candidate passwords against a 100k sample at 50 c/s (one
> modern quad-core CPU), you need:
> 
> 300 * 100000 / 50 / 86400 = ~7 days

  I’ll then need 30 days :\
  or to figure out that abort trap 6 error @ GWS 32.  Bis repetita…  
  

> 300 is probably … (edited) … enough in
> that sample to potentially be in top 100 then tested against the 100k
> sample.  Then it's just a day more.
> 
> So it’s unclear if a community effort is justified.
 —  I would not bother if it wasn’t that slow. A lot of people are probably testing the same rules against the same hashes over and over again.  It’s about efficiency.  


>  For a top 100 list,
> if desired, someone just needs to do it right.  And doing it right is
> more important than testing a larger candidate password list against a
> larger sample.

 —  Understood and Agreed. 

— Thank you for answers.  

> 
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.