Nmap Development mailing list archives
Re: Replacing passwords.lst
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 6 Mar 2010 00:09:14 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 5 Mar 2010 14:52:20 -0600 Ron <ron () skullsecurity net> wrote:
On Fri, 5 Mar 2010 11:46:07 -0700 David Fifield <david () bamsoftware com> wrote:And what does the Cracked_phpbb column look like with the top 10, 100, and 200 passwords from current passwords.lst?So, this morning I was using Excel and doing a lot of old tricks I learned in the before times. It looks like the results weren't 100% accurate -- I'm using some Linux tools now and I'm getting different (better!) results. I'll post the command that generated all these after:
[...]
That's actually really surprising -- Nmap's list kicked ass against Myspace, followed by Rockyou, John, and Cain&Able. phpbb was a much closer run -- pretty much a tie between Rockyou and John, followed by Nmap then Cain&Able. On the Hotmail passwords, which are more difficult because Hotmail actually has password policies, the Rockyou.com passwords were the clear winners.
Okay so I have another list we can test against (100k user accounts). A password complexity policy was in place for this list so the passwords are "higher quality" garbage. Since nearly all the passwords in this list don't meet the complexity requirement I ran with "--rules" from John 1.7.3.4 Attached are the results an an image, also available here: http://noh.ucsd.edu/~bmenrigh/list_quality.png The result is that RockYou is the best but John and PHPBB are really good too. I'm pretty sure we can make a hybrid dictionary that weights the lists. That is, weight RockYou at say 70%, and John and PHPBB at 15% and then take the top 70% (of 200) passwords from RockYou and then the top 15% (of 200) from PHPBB and John that aren't already in the top 70% RockYou. We can probably determine the weights empirically by testing against my list, the hotmail list, the myspace list, etc. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAkuRnTEACgkQqaGPzAsl94J+zQCfezby1eo+pf7mcwQk0BTLpdS/ ICcAoIpZOv6jPFw5bOpUxWEPhkLX2Y5G =lSOs -----END PGP SIGNATURE-----
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Replacing passwords.lst Ron (Mar 04)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst David Fifield (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Kris Katterjohn (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Fyodor (Mar 06)
- Re: Replacing passwords.lst Ron (Mar 06)
- Re: Replacing passwords.lst David Fifield (Mar 06)
- Re: Replacing passwords.lst Martin Holst Swende (Mar 06)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
- Re: Replacing passwords.lst David Fifield (Mar 12)
- Re: Replacing passwords.lst Fyodor (Mar 12)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)