Nmap Development mailing list archives
Replacing passwords.lst
From: Ron <ron () skullsecurity net>
Date: Thu, 4 Mar 2010 16:24:03 -0600
Hey, I spent a lot of time this week working on the passwords leaked from Rockyou.com and seeing what kind of information I could get from it. It's a beautiful cross section because there were no password policies or anything like that and over 32.6 million were leaked -- perfect for stats! My extended writeup (including a graph!) is here: http://www.skullsecurity.org/blog/?p=516 But here's what it really comes down to. Right now, we have a password dictionary of 200 passwords included with Nmap. According to my stats, trying those passwords would have cracked 4.30% of the passwords used by Rockyou.com users. If I take the top 200 passwords leaked from Rockyou.com, they would have cracked 13.71% of all accounts -- three times as many. If we take the top 500 passwords, we could have cracked 19.82%. If we drop down to the top 20 passwords, we could crack 5.67% of accounts -- slightly more than our current list, with only 10% of the list. Here's the full table I generated: Count Coverage 1 2.03% 2 2.58% 5 3.88% 10 4.66% <-- what we're at now (approx) 20 5.67% 50 7.83% 100 10.34% 200 13.71% <-- what we could be at without resizing 500 19.82% 1000 25.68% 2000 32.60% 5000 42.62% 10000 50.68% 20000 59.33% 50000 72.40% I put links to each cutoff point in my blog, so feel free to have a look. I think the passwords leaked by Rockyou.com are indicative of what typical passwords look like, and we should therefore replace Nmap's password.lst file with a version generated from Rockyou.com. Thoughts? -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Replacing passwords.lst Ron (Mar 04)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst David Fifield (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Kris Katterjohn (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Fyodor (Mar 06)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)