Re: Replacing passwords.lst

[David Fifield <david () bamsoftware com>]

On Fri, Mar 05, 2010 at 09:19:19AM -0600, Ron wrote:
> On Thu, 4 Mar 2010 22:27:16 +0000 Brandon Enright <bmenrigh () ucsd edu>
> wrote:
> > Ron, what percentage of the PHPBB password would we crack with the
> > current 200 versus your new suggested 200?  Do we see a similar
> > increase?
> Surprisingly, there doesn't seem to be a strong correlation between the rockyou passwords and the phpbb passwords. 
> The top 500 phpbb passwords almost all appear somewhere on the rockyou list, but there doesn't appear to be a strong 
> correlation between the rankings. That being said, the top 1000 Rockyou.com passwords would crack 742 phpbb 
> passwords. The passwords just aren't in the top 1000 phpbb passwords -- they're all over the place. 
>
> I think the problem is the scales. phpbb only has 30,000 or so passwords (correct me if that's wrong), so it isn't a 
> huge statistical base. Rockyou.com, on the other hand, had 33,000,000 passwords, 1000x more, which gives a much 
> better base for statistics. 
>
> Anyway, enough talking, I'll give some raw numbers. I took the stats as, "The top X Rockyou.com passwords would crack 
> Y phpbb passwords" -- this doesn't take volumes into account. 
>
> Rockyou_PWs  Cracked_phpbb
> 10           9
> 100          93
> 200          182
> 500          413
> 1000         742
> 5000         2118
> 20000        3583
> 50000        4492

And what does the Cracked_phpbb column look like with the top 10, 100,
and 200 passwords from current passwords.lst?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/